{ "id": "f391f1fd-57c2-4dfc-98b4-67f907396053", "created_at": "2026-04-06T00:21:44.29455Z", "updated_at": "2026-04-10T13:11:22.043875Z", "deleted_at": null, "sha1_hash": "5e739651256ea356cbd2357cb1b546eb78770957", "title": "Operation Groundbait - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44171, "plain_text": "Operation Groundbait - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 18:59:09 UTC\nHome \u003e List all groups \u003e Operation Groundbait\n APT group: Operation Groundbait\nNames Operation Groundbait (ESET)\nCountry Ukraine\nMotivation Information theft and espionage\nFirst seen 2008\nDescription\n(ESET) After BlackEnergy, which has, most infamously, facilitated attacks that resulted in\npower outages for hundreds of thousands of Ukrainian civilians, and Operation Potao Express,\nwhere attackers went after sensitive TrueCrypt-protected data from high value targets, ESET\nresearchers have uncovered another cyberespionage operation in Ukraine: Operation\nGroundbait.\nThe main point that sets Operation Groundbait apart from the other attacks is that it has mostly\nbeen targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s\nRepublics.\nWhile the attackers seem to be more interested in separatists and the self-declared\ngovernments in eastern Ukrainian war zones, there have also been a large number of other\ntargets, including, among others, Ukrainian government officials, politicians and journalists.\nObserved\nSectors: Government and politicians and journalists.\nCountries: Ukraine.\nTools used Prikormka.\nInformation Last change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=38246b37-a51f-4980-800e-bc591e986073\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=38246b37-a51f-4980-800e-bc591e986073\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=38246b37-a51f-4980-800e-bc591e986073\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=38246b37-a51f-4980-800e-bc591e986073" ], "report_names": [ "showcard.cgi?u=38246b37-a51f-4980-800e-bc591e986073" ], "threat_actors": [ { "id": "4a892faf-3d4d-4615-b7b6-cdbc2ce42d8d", "created_at": "2022-10-25T16:07:23.99045Z", "updated_at": "2026-04-10T02:00:04.824683Z", "deleted_at": null, "main_name": "Operation Potao Express", "aliases": [], "source_name": "ETDA:Operation Potao Express", "tools": [ "FakeTC", "Patao" ], "source_id": "ETDA", "reports": null }, { "id": "4989a6be-779c-49fa-9732-51f44b269ee2", "created_at": "2023-01-06T13:46:38.573168Z", "updated_at": "2026-04-10T02:00:03.027853Z", "deleted_at": null, "main_name": "Groundbait", "aliases": [], "source_name": "MISPGALAXY:Groundbait", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "73446bf0-6d25-4f73-ab37-78c41d19ade9", "created_at": "2022-10-25T16:07:23.961856Z", "updated_at": "2026-04-10T02:00:04.809181Z", "deleted_at": null, "main_name": "Operation Groundbait", "aliases": [], "source_name": "ETDA:Operation Groundbait", "tools": [ "Prikormka" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434904, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e739651256ea356cbd2357cb1b546eb78770957.pdf", "text": "https://archive.orkl.eu/5e739651256ea356cbd2357cb1b546eb78770957.txt", "img": "https://archive.orkl.eu/5e739651256ea356cbd2357cb1b546eb78770957.jpg" } }