{ "id": "14a5cf6d-0340-44f3-91bd-2316f57fa6e4", "created_at": "2026-04-06T00:09:34.910226Z", "updated_at": "2026-04-10T03:32:56.829925Z", "deleted_at": null, "sha1_hash": "5fdcbc203f62099fc1df287e503fe20b6d47b199", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51642, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:18:15 UTC\r\n APT group: PassCV\r\nNames PassCV (Blue Coat Systems)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\n(Cylance) Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post.\r\nHis post provides a good introduction to the group and covers some of the older infrastructure,\r\nstolen code-signing certificate reuse, and other connections associated with the PassCV\r\nmalware. There are several clues alluding to the possibility that multiple groups may be\r\nutilizing the same stolen signing certificates, but at this time SPEAR believes the current\r\nattacks are more likely being perpetrated by a single group employing multiple publicly\r\navailable Remote Administration Tools (RATs).\r\nThe PassCV group has been operating with continued success and has already started to\r\nexpand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR\r\nidentified eighteen previously undisclosed stolen Authenticode certificates. These certificates\r\nwere originally issued to companies and individuals scattered across China, Taiwan, Korea,\r\nEurope, the United States and Russia.\r\nThe PassCV group typically utilized publicly available RATs in addition to some custom code,\r\nwhich ultimately provided backdoor functionality to affected systems via phony resumes and\r\ncurriculum vitae (CVs). PassCV continues to maintain a heavy reliance on obfuscated and\r\nsigned versions of older RATs like ZxShell and Ghost RAT, which have remained a favorite of\r\nthe wider Chinese criminal community since their initial public release.\r\nObserved\r\nSectors: Online video game companies.\r\nCountries: China, Russia, South Korea, Taiwan, USA and Europe.\r\nTools used Cobalt Strike, Excalibur, Gh0st RAT, Kitkiot, NetWire RC, Winnti, ZXShell.\r\nInformation\r\n\u003chttps://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffbdc428-4ee2-4402-b604-385bad6cb8ac\r\nPage 1 of 2\n\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffbdc428-4ee2-4402-b604-385bad6cb8ac\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffbdc428-4ee2-4402-b604-385bad6cb8ac\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffbdc428-4ee2-4402-b604-385bad6cb8ac" ], "report_names": [ "showcard.cgi?u=ffbdc428-4ee2-4402-b604-385bad6cb8ac" ], "threat_actors": [ { "id": "27b56f48-7905-4da8-8d87-cea10adb1c6b", "created_at": "2022-10-25T16:07:24.044105Z", "updated_at": "2026-04-10T02:00:04.848898Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "ETDA:PassCV", "tools": [ "Agentemis", "AngryRebel", "BleDoor", "Cobalt Strike", "CobaltStrike", "Excalibur", "Farfli", "Gh0st RAT", "Ghost RAT", "Kitkiot", "Moudour", "Mydoor", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "PCRat", "RbDoor", "Recam", "RibDoor", "Sabresac", "Sensocode", "Winnti", "ZXShell", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "dda68b4f-a74a-42a0-b883-69c1dc1229a8", "created_at": "2023-01-06T13:46:38.528227Z", "updated_at": "2026-04-10T02:00:03.013713Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "MISPGALAXY:PassCV", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434174, "ts_updated_at": 1775791976, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5fdcbc203f62099fc1df287e503fe20b6d47b199.pdf", "text": "https://archive.orkl.eu/5fdcbc203f62099fc1df287e503fe20b6d47b199.txt", "img": "https://archive.orkl.eu/5fdcbc203f62099fc1df287e503fe20b6d47b199.jpg" } }