{ "id": "d7342609-6057-4397-9d3b-f54c138198a9", "created_at": "2026-04-06T00:17:39.3555Z", "updated_at": "2026-04-10T03:31:48.832062Z", "deleted_at": null, "sha1_hash": "6c16bae81e6e48d4d44fc8da4cade338d3b8411d", "title": "Operation EmailThief, TEMP_Heretic - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49119, "plain_text": "Operation EmailThief, TEMP_Heretic - Threat Group Cards: A\nThreat Actor Encyclopedia\nArchived: 2026-04-05 20:10:06 UTC\nHome \u003e List all groups \u003e Operation EmailThief, TEMP_Heretic\n APT group: Operation EmailThief, TEMP_Heretic\nNames\nOperation EmailThief (Volexity)\nTEMP_Heretic (Volexity)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2021\nDescription\n(Volexity) In December 2021, through its Network Security Monitoring service, Volexity\nidentified a series of targeted spear-phishing campaigns against one of its customers from a\nthreat actor it tracks as TEMP_Heretic. Analysis of the emails from these spear phishing\ncampaigns led to a discovery: the attacker was attempting to exploit a zero-day cross-site\nscripting (XSS) vulnerability in the Zimbra email platform. Zimbra is an open source email\nplatform often used by organizations as an alternative to Microsoft Exchange.\nThe campaigns came in multiple waves across two attack phases. The initial phase was aimed\nat reconnaissance and involved emails designed to simply track if a target received and opened\nthe messages. The second phase came in several waves that contained email messages luring\ntargets to click a malicious attacker-crafted link. For the attack to be successful, the target\nwould have to visit the attacker's link while logged into the Zimbra webmail client from a web\nbrowser. The link itself, however, could be launched from an application to include a thick\nclient, such as Thunderbird or Outlook. Successful exploitation results in the attacker being\nable to run arbitrary JavaScript in the context of the user's Zimbra session. Volexity observed\nthe attacker attempting to load JavaScript to steal user mail data and attachments.\nObserved\nSectors: Government, Media.\nCountries: Europe.\nTools used\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=fd39b227-146f-400c-975e-ae146431cfd6\nPage 1 of 2\n\nLast change to this card: 04 February 2022\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fd39b227-146f-400c-975e-ae146431cfd6\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=fd39b227-146f-400c-975e-ae146431cfd6\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fd39b227-146f-400c-975e-ae146431cfd6" ], "report_names": [ "showcard.cgi?u=fd39b227-146f-400c-975e-ae146431cfd6" ], "threat_actors": [ { "id": "e767cfb1-3030-4041-b617-64befa8f8ad7", "created_at": "2023-11-21T02:00:07.347329Z", "updated_at": "2026-04-10T02:00:03.464024Z", "deleted_at": null, "main_name": "TEMP_Heretic", "aliases": [], "source_name": "MISPGALAXY:TEMP_Heretic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5a725cab-d852-48cf-bcb9-f69426f89332", "created_at": "2022-10-25T16:07:23.951922Z", "updated_at": "2026-04-10T02:00:04.805463Z", "deleted_at": null, "main_name": "Operation EmailThief", "aliases": [ "Operation EmailThief", "TEMP_Heretic" ], "source_name": "ETDA:Operation EmailThief", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434659, "ts_updated_at": 1775791908, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c16bae81e6e48d4d44fc8da4cade338d3b8411d.pdf", "text": "https://archive.orkl.eu/6c16bae81e6e48d4d44fc8da4cade338d3b8411d.txt", "img": "https://archive.orkl.eu/6c16bae81e6e48d4d44fc8da4cade338d3b8411d.jpg" } }