{ "id": "6ecb736c-1544-4577-9d0e-81ee8448c0f2", "created_at": "2026-04-06T00:14:30.522806Z", "updated_at": "2026-04-10T03:30:42.16259Z", "deleted_at": null, "sha1_hash": "5a36201277aebadcf50430243f259597f8ecdae2", "title": "APT 6 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48174, "plain_text": "APT 6 - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:43:55 UTC\n APT group: APT 6\nNames\nAPT 6 (FireEye)\n1.php Group (Zscaler)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2011\nDescription\n(Kaspersky) The FBI issued a rare bulletin admitting that a group named Advanced Persistent\nThreat 6 (APT6) hacked into US government computer systems as far back as 2011 and for\nyears stole sensitive data.\nThe FBI alert was issued in February and went largely unnoticed. Nearly a month later,\nsecurity experts are now shining a bright light on the alert and the mysterious group behind the\nattack.\n“This is a rare alert and a little late, but one that is welcomed by all security vendors as it\noffers a chance to mitigate their customers and also collaborate further in what appears to be\nan ongoing FBI investigation,” said Deepen Desai, director of security research at the security\nfirm Zscaler in an email to Threatpost.\nDetails regarding the actual attack and what government systems were infected are scant.\nGovernment officials said they knew the initial attack occurred in 2011, but are unaware of\nwho specifically is behind the attacks.\n“Given the nature of malware payload involved and the duration of this compromise being\nunnoticed – the scope of lateral movement inside the compromised network is very high\npossibly exposing all the critical systems,” Deepen said.\nObserved\nSectors: Government.\nCountries: USA.\nTools used Poison Ivy.\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1a38d179-c0a4-4dda-a9a6-5c70b4386817\nPage 1 of 2\n\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1a38d179-c0a4-4dda-a9a6-5c70b4386817\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1a38d179-c0a4-4dda-a9a6-5c70b4386817\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1a38d179-c0a4-4dda-a9a6-5c70b4386817" ], "report_names": [ "showcard.cgi?u=1a38d179-c0a4-4dda-a9a6-5c70b4386817" ], "threat_actors": [ { "id": "0e03175d-b1fe-4d4e-bd3a-a8c0feb5eb43", "created_at": "2023-01-06T13:46:38.705578Z", "updated_at": "2026-04-10T02:00:03.073956Z", "deleted_at": null, "main_name": "APT6", "aliases": [ "1.php Group" ], "source_name": "MISPGALAXY:APT6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "392aed78-4ef6-46ac-afba-c3920ea05d28", "created_at": "2022-10-25T16:07:23.323349Z", "updated_at": "2026-04-10T02:00:04.541652Z", "deleted_at": null, "main_name": "APT 6", "aliases": [ "1.php Group" ], "source_name": "ETDA:APT 6", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434470, "ts_updated_at": 1775791842, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a36201277aebadcf50430243f259597f8ecdae2.pdf", "text": "https://archive.orkl.eu/5a36201277aebadcf50430243f259597f8ecdae2.txt", "img": "https://archive.orkl.eu/5a36201277aebadcf50430243f259597f8ecdae2.jpg" } }