{ "id": "8cc6d389-4d9f-4881-a319-b24403260e61", "created_at": "2026-04-06T00:21:41.361724Z", "updated_at": "2026-04-10T03:34:18.921539Z", "deleted_at": null, "sha1_hash": "6d85596d0ce0fbbc480c02b5963964cc7ad92ee4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53940, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:51:26 UTC\r\n APT group: TA413\r\nNames\r\nTA413 (Proofpoint)\r\nWhite Dev 9 (PWC)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription (Proofpoint) Beginning in the first half of 2020, the rapid international spread of the\r\nCOVID-19 virus introduced a shift within the threat landscape towards pandemic-themed social engineering lures. Public research has noted several Chinese APT\r\ngroups adopting COVID-19 phishing lures in recent months to carry out espionage\r\ncampaigns against established and expanding target sets. In March 2020, Proofpoint\r\nresearchers observed a phishing campaign impersonating the World Health\r\nOrganization’s (WHO) guidance on COVID-19 critical preparedness to deliver a\r\nnew malware family that researchers have dubbed “Sepulcher”. This campaign\r\ntargeted European diplomatic and legislative bodies, non-profit policy research\r\norganizations, and global organizations dealing with economic affairs. Additionally,\r\na sender email identified in this campaign has been linked to historic Chinese APT\r\ntargeting of the international Tibetan community using payloads linked to LuckyCat\r\nmalware. Subsequently, a phishing campaign from July 2020 targeting Tibetan\r\ndissidents was identified delivering the same strain of Sepulcher malware. Operator\r\nemail accounts identified in this campaign have been publicly linked to historic\r\nChinese APT campaigns targeting the Tibetan community delivering ExileRAT\r\nmalware. Based on the use of publicly known sender addresses associated with\r\nTibetan dissident targeting and the delivery of Sepulcher malware payloads,\r\nProofpoint researchers have attributed both campaigns to the APT actor TA413,\r\nwhich has previously been documented in association with ExileRAT. The usage of\r\npublicly known Tibetan-themed sender accounts to deliver Sepulcher malware\r\ndemonstrates a short-term realignment of TA413’s targets of interest. While best\r\nknown for their campaigns against the Tibetan diaspora, this APT group associated\r\nwith the Chinese state interest prioritized intelligence collection around Western\r\neconomies reeling from COVID-19 in March 2020 before resuming more\r\nconventional targeting later this year.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e32ce320-6a58-4213-9865-1733af93fec8\r\nPage 1 of 2\n\nAn overlap in infrastructure has been observed with Lucky Cat.\nObserved Countries: Tibet and Europe.\nTools used ExileRAT, Sepulcher.\nOperations performed\nJan 2021\nTA413 Leverages New FriarFox Browser Extension to Target the\nGmail Accounts of Global Tibetan Organizations\nMay 2022\nChinese-linked threat actors are now actively exploiting a Microsoft\nOffice zero-day vulnerability (known as 'Follina') to execute\nmalicious code remotely on Windows systems.\n2022\nChinese State-Sponsored Group TA413 Adopts New Capabilities in\nPursuit of Tibetan Targets\nInformation\nLast change to this card: 18 November 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e32ce320-6a58-4213-9865-1733af93fec8\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e32ce320-6a58-4213-9865-1733af93fec8\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e32ce320-6a58-4213-9865-1733af93fec8" ], "report_names": [ "showcard.cgi?u=e32ce320-6a58-4213-9865-1733af93fec8" ], "threat_actors": [ { "id": "3b1367ff-99dc-41f0-986f-4a1dcb41bbbf", "created_at": "2022-10-25T16:07:24.273478Z", "updated_at": "2026-04-10T02:00:04.918037Z", "deleted_at": null, "main_name": "TA413", "aliases": [ "White Dev 9" ], "source_name": "ETDA:TA413", "tools": [ "Exile RAT", "ExileRAT", "Sepulcher" ], "source_id": "ETDA", "reports": null }, { "id": "9792e41f-4165-474b-99fa-e74ec332bd87", "created_at": "2023-01-06T13:46:38.986789Z", "updated_at": "2026-04-10T02:00:03.172308Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [ "TA413", "White Dev 9" ], "source_name": "MISPGALAXY:Lucky Cat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "1a651080-cb2f-49bb-87cb-b9c6f6f99ce9", "created_at": "2022-10-25T16:07:23.809467Z", "updated_at": "2026-04-10T02:00:04.756067Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [], "source_name": "ETDA:Lucky Cat", "tools": [ "Comfoo", "Comfoo RAT", "Lucky Cat", "LuckyCat", "Sojax", "Syndicasec", "WMI Ghost", "Wimmie" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434901, "ts_updated_at": 1775792058, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d85596d0ce0fbbc480c02b5963964cc7ad92ee4.pdf", "text": "https://archive.orkl.eu/6d85596d0ce0fbbc480c02b5963964cc7ad92ee4.txt", "img": "https://archive.orkl.eu/6d85596d0ce0fbbc480c02b5963964cc7ad92ee4.jpg" } }