{ "id": "b8b8fe1b-acc9-4618-9ebd-2be6e11e239d", "created_at": "2026-04-06T00:09:36.593874Z", "updated_at": "2026-04-10T03:38:09.72281Z", "deleted_at": null, "sha1_hash": "6deaf05ec4ebf3f7e53957df8349cf8e183d945b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50702, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:48:41 UTC\n APT group: Siesta\nNames Siesta (Trend Micro)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2014\nDescription\n(Trend Micro) In the past few weeks, we have received several reports of targeted attacks that\nexploited various application vulnerabilities to infiltrate various organizations. Similar to the\nSafe Campaign, the campaigns we noted went seemingly unnoticed and under the radar.\n(FireEye) FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and\ndubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the\ncampaign present two possibilities: either the Chinese cyber-espionage unit Comment Crew,\nAPT 1 is perpetrating this activity, or another group is using the same tactics and tools as the\nlegacy APT1.\nThe Siesta campaign reinforces the fact that analysts and network defenders should remain on\nthe lookout for known, public indicators and for shared attributes that allow security experts to\ndetect multiple actors with one signature.\nObserved\nSectors: Defense, Energy, Financial, Government, Healthcare, Media, Telecommunications,\nTransportation.\nTools used Poison Ivy.\nInformation\nLast change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1f7a817d-6112-4e7b-b124-91519dbb02a1\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1f7a817d-6112-4e7b-b124-91519dbb02a1\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1f7a817d-6112-4e7b-b124-91519dbb02a1\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1f7a817d-6112-4e7b-b124-91519dbb02a1" ], "report_names": [ "showcard.cgi?u=1f7a817d-6112-4e7b-b124-91519dbb02a1" ], "threat_actors": [ { "id": "f9fa9633-dfd1-458d-84ce-cc36dcdc7ce4", "created_at": "2022-10-25T16:07:24.188897Z", "updated_at": "2026-04-10T02:00:04.894484Z", "deleted_at": null, "main_name": "Siesta", "aliases": [], "source_name": "ETDA:Siesta", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "f9bb42e1-65d6-444e-8c63-21c2605b49e0", "created_at": "2023-01-06T13:46:38.887429Z", "updated_at": "2026-04-10T02:00:03.133382Z", "deleted_at": null, "main_name": "Siesta", "aliases": [], "source_name": "MISPGALAXY:Siesta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434176, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6deaf05ec4ebf3f7e53957df8349cf8e183d945b.pdf", "text": "https://archive.orkl.eu/6deaf05ec4ebf3f7e53957df8349cf8e183d945b.txt", "img": "https://archive.orkl.eu/6deaf05ec4ebf3f7e53957df8349cf8e183d945b.jpg" } }