{
	"id": "f380de1c-cb0e-45d8-a1d0-64bb9b2b9b60",
	"created_at": "2026-04-06T00:18:16.561547Z",
	"updated_at": "2026-04-10T03:34:41.56139Z",
	"deleted_at": null,
	"sha1_hash": "64beb3a0c870d097e83de70564f22bed4af23bf2",
	"title": "Operation Poisoned News, TwoSail Junk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51139,
	"plain_text": "Operation Poisoned News, TwoSail Junk\nArchived: 2026-04-05 23:02:23 UTC\nHome \u003e List all groups \u003e Operation Poisoned News, TwoSail Junk\n APT group: Operation Poisoned News, TwoSail Junk\nNames\nOperation Poisoned News (Trend Micro)\nTwoSail Junk (Kaspersky)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2020\nDescription\n(Kaspersky) A watering hole was discovered on January 10, 2020 utilizing a full remote iOS\nexploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been\ndesigned to target users in Hong Kong based on the content of the landing page. Since the\ninitial activity, we released two private reports exhaustively detailing spread, exploits,\ninfrastructure and LightSpy implants.\nWe are temporarily calling this APT group “TwoSail Junk”. Currently, we have hints from\nknown backdoor callbacks to infrastructure about clustering this campaign with previous\nactivity. And we are working with colleagues to tie LightSpy with prior activity from a long\nrunning Chinese-speaking APT group, previously reported on as Lotus Blossom, Spring\nDragon, Thrip, known for their Lotus Elise and Evora backdoor malware. Considering that this\nLightSpy activity has been disclosed publicly by our colleagues from TrendMicro, we would\nlike to further contribute missing information to the story without duplicating content. And, in\nour quest to secure technologies for a better future, we reported the malware and activity to\nApple and other relevant companies.\nObserved Countries: Hong Kong.\nTools used dmsSpy, lightSpy.\nInformation\nLast change to this card: 01 May 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e9cf8d80-c883-40ef-a5eb-907db5b0e4b0\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e9cf8d80-c883-40ef-a5eb-907db5b0e4b0\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e9cf8d80-c883-40ef-a5eb-907db5b0e4b0\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e9cf8d80-c883-40ef-a5eb-907db5b0e4b0"
	],
	"report_names": [
		"showcard.cgi?u=e9cf8d80-c883-40ef-a5eb-907db5b0e4b0"
	],
	"threat_actors": [
		{
			"id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788",
			"created_at": "2022-10-25T15:50:23.722608Z",
			"updated_at": "2026-04-10T02:00:05.397432Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"Thrip"
			],
			"source_name": "MITRE:Thrip",
			"tools": [
				"PsExec",
				"Mimikatz",
				"Catchamas"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb",
			"created_at": "2023-01-06T13:46:38.793461Z",
			"updated_at": "2026-04-10T02:00:03.102807Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"G0076",
				"ATK78"
			],
			"source_name": "MISPGALAXY:Thrip",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747",
			"created_at": "2023-11-08T02:00:07.166789Z",
			"updated_at": "2026-04-10T02:00:03.432192Z",
			"deleted_at": null,
			"main_name": "TwoSail Junk",
			"aliases": [
				"Operation Poisoned News"
			],
			"source_name": "MISPGALAXY:TwoSail Junk",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "741d58a1-0fc0-41a8-9681-106a06c07e61",
			"created_at": "2022-10-25T16:07:23.983046Z",
			"updated_at": "2026-04-10T02:00:04.822372Z",
			"deleted_at": null,
			"main_name": "Operation Poisoned News",
			"aliases": [
				"Operation Poisoned News",
				"TwoSail Junk"
			],
			"source_name": "ETDA:Operation Poisoned News",
			"tools": [
				"dmsSpy",
				"lightSpy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434696,
	"ts_updated_at": 1775792081,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64beb3a0c870d097e83de70564f22bed4af23bf2.pdf",
		"text": "https://archive.orkl.eu/64beb3a0c870d097e83de70564f22bed4af23bf2.txt",
		"img": "https://archive.orkl.eu/64beb3a0c870d097e83de70564f22bed4af23bf2.jpg"
	}
}