{ "id": "bf662d8b-78d3-4357-9b1e-c7f75b82b237", "created_at": "2026-04-06T00:13:53.928487Z", "updated_at": "2026-04-10T13:11:45.606935Z", "deleted_at": null, "sha1_hash": "66c4a6d05653799a7ff9b29929f23ad1b07858ea", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56760, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:38:45 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ChChes\n Tool: ChChes\nNames\nChChes\nHAYMAKER\nHam Backdoor\nScorpion\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) In addition to using PlugX and Poison Ivy (PIVY), both known to be used\nby the group, they also used a new Trojan called “ChChes” by the Japan Computer\nEmergency Response Team Coordination Center (JPCERT). In contrast to PlugX and\nPIVY, which are used by multiple campaigns, ChChes appears to be unique to this\ngroup. An analysis of the malware family can be found later in this blog.\nInterestingly, the ChChes samples we observed were digitally signed using a certificate\noriginally used by HackingTeam and later part of the data leaked when they were\nthemselves hacked. Wapack labs also observed a similar sample targeting Japan in\nNovember. It’s not clear why the attackers chose to use this certificate, as it was old, had\nbeen leaked online, and had already been revoked by the time they used it. Digital\ncertificates are typically used because they afford an air of legitimacy, which this one\ndefinitely does not.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=641359e0-3415-45b2-a304-860ecb58ac7d\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:chches\u003e\r\nLast change to this tool card: 13 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool ChChes\r\nChanged Name Country Observed\r\nAPT groups\r\n  Snake Wine 2016  \r\n  Stone Panda, APT 10, menuPass 2006-Mar 2025\r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=641359e0-3415-45b2-a304-860ecb58ac7d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=641359e0-3415-45b2-a304-860ecb58ac7d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=641359e0-3415-45b2-a304-860ecb58ac7d" ], "report_names": [ "listgroups.cgi?u=641359e0-3415-45b2-a304-860ecb58ac7d" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "42a7c8ec-e6f6-4460-9ad4-0ca2d3210135", "created_at": "2022-10-25T16:07:24.203518Z", "updated_at": "2026-04-10T02:00:04.898194Z", "deleted_at": null, "main_name": "Snake Wine", "aliases": [], "source_name": "ETDA:Snake Wine", "tools": [ "ChChes", "HAYMAKER", "Ham Backdoor", "Tofu Backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "029f7e65-fec8-481e-a7ef-9b5e53ef2371", "created_at": "2023-01-06T13:46:38.674255Z", "updated_at": "2026-04-10T02:00:03.063656Z", "deleted_at": null, "main_name": "Snake Wine", "aliases": [], "source_name": "MISPGALAXY:Snake Wine", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434433, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66c4a6d05653799a7ff9b29929f23ad1b07858ea.pdf", "text": "https://archive.orkl.eu/66c4a6d05653799a7ff9b29929f23ad1b07858ea.txt", "img": "https://archive.orkl.eu/66c4a6d05653799a7ff9b29929f23ad1b07858ea.jpg" } }