{
	"id": "238258f7-4c5a-4098-86c1-3f598a1d706b",
	"created_at": "2026-04-06T00:18:46.936457Z",
	"updated_at": "2026-04-10T03:35:47.186443Z",
	"deleted_at": null,
	"sha1_hash": "6501a5d94de6b7bb176f1fbabb3b85d00c41d232",
	"title": "Elite cyber crime group strikes back after attack by rival APT gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 529602,
	"plain_text": "Elite cyber crime group strikes back after attack by rival APT\r\ngang\r\nBy Dan Goodin\r\nPublished: 2015-04-15 · Archived: 2026-04-05 14:21:47 UTC\r\nOne day last year, an obscure cyber espionage group sent a spear phishing e-mail. It carried the usual trappings of\r\na spear phish sent by advanced persistent threat actors. It was short, appeared to come from an address the target\r\nknew, and attached a payload that when clicked surreptitiously installed potent malware on the reader’s computer.\r\nBut there was something highly unusual about this spear phish, one that would throw the once-shadowy Hellsing\r\ngroup into the limelight. According to analysis from antivirus provider Kaspersky Lab, the targeted group in the\r\nspear phish wasn’t a government agency or embassy as is usually the case. Instead, it was Naikon, one of Asia’s\r\nlargest APT gangs and a rival to Hellsing. Naikon has been active for years and is known for attacks targeting\r\ngovernment and military leaders, diplomats, aviation authorities, and police in countries such as the Philippines,\r\nMalaysia, Cambodia, and Indonesia.\r\nCredit: Kaspersky Lab\r\nCredit: Kaspersky Lab\r\nTo be fair to Hellsing, it was Naikon that started the fight. In February, about six weeks prior to the spear phish\r\nHellsing sent, Naikon had blasted out a spear phishing run of its own. One of the many groups that received the\r\nNaikon e-mail was Hellsing. Rather than blindly taking the bait, as is the case in so many APT-related spear\r\nphishes, Hellsing members took the time to check the legitimacy of the e-mail with the purported sender. When\r\nthe sender supplied an unsatisfactory response, Hellsing members fired off their own spear phish directed at the\r\nNaikon gang. Kaspersky researchers believe the event may mark the emergence of a new trend in cyber criminal\r\nactivity: APT-on-APT attacks.\r\nhttp://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/\r\nPage 1 of 2\n\n“The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting-‘Empire Strikes\r\nBack’ style, is fascinating,” Costin Raiu, director of global research and analyst team at Kaspersky Lab, said in a\r\npress release. “In the past, we’ve seen APT groups accidentally hitting each other while stealing address books\r\nfrom victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin\r\nof the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack.”\r\nSource: http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/\r\nhttp://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/"
	],
	"report_names": [
		"elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang"
	],
	"threat_actors": [
		{
			"id": "78090a48-ca66-4cd8-a454-04d947e9c887",
			"created_at": "2023-01-06T13:46:38.303662Z",
			"updated_at": "2026-04-10T02:00:02.919567Z",
			"deleted_at": null,
			"main_name": "Hellsing",
			"aliases": [],
			"source_name": "MISPGALAXY:Hellsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b69484be-98d1-49e6-aed1-a28dbf65176a",
			"created_at": "2022-10-25T16:07:23.886782Z",
			"updated_at": "2026-04-10T02:00:04.779029Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"G0019",
				"Hellsing",
				"ITG06",
				"Lotus Panda",
				"Naikon",
				"Operation CameraShy"
			],
			"source_name": "ETDA:Naikon",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"AR",
				"ARL",
				"Agent.dhwf",
				"Aria-body",
				"Aria-body loader",
				"Asset Reconnaissance Lighthouse",
				"BackBend",
				"Creamsicle",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"Flashflood",
				"FoundCore",
				"Gemcutter",
				"HDoor",
				"JadeRAT",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LadonGo",
				"Lecna",
				"Living off the Land",
				"NBTscan",
				"Naikon",
				"NetEagle",
				"Neteagle_Scout",
				"NewCore RAT",
				"Orangeade",
				"PlugX",
				"Quarks PwDump",
				"RARSTONE",
				"RainyDay",
				"RedDelta",
				"RoyalRoad",
				"Sacto",
				"Sandboxie",
				"ScoutEagle",
				"Shipshape",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"SslMM",
				"Sys10",
				"TIGERPLUG",
				"TVT",
				"TeamViewer",
				"Thoper",
				"WinMM",
				"Xamtrav",
				"XsFunction",
				"ZRLnk",
				"nbtscan",
				"nokian",
				"norton",
				"xsControl",
				"xsPlus"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32",
			"created_at": "2023-04-20T02:01:50.979595Z",
			"updated_at": "2026-04-10T02:00:02.913011Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"BRONZE STERLING",
				"G0013",
				"PLA Unit 78020",
				"OVERRIDE PANDA",
				"Camerashy",
				"BRONZE GENEVA",
				"G0019",
				"Naikon"
			],
			"source_name": "MISPGALAXY:Naikon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf",
			"created_at": "2022-10-25T15:50:23.31611Z",
			"updated_at": "2026-04-10T02:00:05.370146Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"Naikon"
			],
			"source_name": "MITRE:Naikon",
			"tools": [
				"ftp",
				"netsh",
				"WinMM",
				"Systeminfo",
				"RainyDay",
				"RARSTONE",
				"HDoor",
				"Sys10",
				"SslMM",
				"PsExec",
				"Tasklist",
				"Aria-body"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62",
			"created_at": "2025-08-07T02:03:24.604463Z",
			"updated_at": "2026-04-10T02:00:03.798481Z",
			"deleted_at": null,
			"main_name": "BRONZE GENEVA",
			"aliases": [
				"APT30 ",
				"BRONZE STERLING ",
				"CTG-5326 ",
				"Naikon ",
				"Override Panda ",
				"RADIUM ",
				"Raspberry Typhoon"
			],
			"source_name": "Secureworks:BRONZE GENEVA",
			"tools": [
				"Lecna Downloader",
				"Nebulae",
				"ShadowPad"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434726,
	"ts_updated_at": 1775792147,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6501a5d94de6b7bb176f1fbabb3b85d00c41d232.pdf",
		"text": "https://archive.orkl.eu/6501a5d94de6b7bb176f1fbabb3b85d00c41d232.txt",
		"img": "https://archive.orkl.eu/6501a5d94de6b7bb176f1fbabb3b85d00c41d232.jpg"
	}
}