{
	"id": "327b0cc5-066e-422d-bc2c-7d380a9d8ac7",
	"created_at": "2026-04-06T00:16:53.112808Z",
	"updated_at": "2026-04-10T03:34:27.551316Z",
	"deleted_at": null,
	"sha1_hash": "750dbdccb8b421341cf61ac3aef92fd48e2401a6",
	"title": "Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 160121,
	"plain_text": "Thrip: Espionage Group Hits Satellite, Telecoms, and Defense\r\nCompanies\r\nBy About the Author\r\nArchived: 2026-04-02 12:23:25 UTC\r\nOne of the most significant developments in cyber espionage in recent years has been the number of groups\r\nadopting “living off the land” tactics. That’s our shorthand for the use of operating system features or legitimate\r\nnetwork administration tools to compromise victims’ networks. The purpose of living off the land is twofold. By\r\nusing such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a\r\nsea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it can make it\r\nharder to attribute attacks. If everyone is using similar tools, it’s more difficult to distinguish one group from\r\nanother. Most attack groups do still create and leverage custom malware, but it tends to be employed sparingly,\r\nreducing the risk of discovery.\r\nFinding the needle in the haystack\r\nThis doesn’t mean espionage attacks are now going undiscovered, but it does mean that they can take longer for\r\nanalysts to investigate. This is one of the reasons why Symantec created Targeted Attack Analytics (TAA), which\r\ntakes tools and capabilities that we’ve developed for our own analysts and makes them available to our Advanced\r\nThreat Protection (ATP) customers. TAA leverages advanced artificial intelligence and machine learning that\r\ncombs through Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks. Its\r\nadvanced AI automates what previously would have taken thousands of hours of analyst time. This makes it far\r\neasier for us, and for our customers, to find that “needle in the haystack.”\r\nIt was TAA that led us to the latest cyber espionage campaign we’ve uncovered. Back in January 2018, TAA\r\ntriggered an alert at a large telecoms operator in Southeast Asia. An attacker was using PsExec to move laterally\r\nbetween computers on the company’s network. PsExec is a Microsoft Sysinternals tool for executing processes on\r\nother systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to\r\nlive off the land. However, it’s also widely used for legitimate purposes, meaning malicious use of PsExec can be\r\ndifficult to spot.\r\nTAA not only flagged this malicious use of PsExec, it also told us what the attackers were using it for. They were\r\nattempting to remotely install a previously unknown piece of malware (Infostealer.Catchamas) on computers\r\nwithin the victim’s network.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\r\nPage 1 of 5\n\nFigure 1. Targeted Attack Analytics leverages machine learning to spot malicious activity associated\r\nwith targeted attacks and alerts the customer.\r\nArmed with this information about the malware and living off the land tactics being used by this group of\r\nattackers whom we named Thrip, we broadened our search to see if we could find similar patterns that indicated\r\nThrip had been targeting other organizations. We uncovered a wide-ranging cyber espionage campaign involving\r\npowerful malware being used against targets that are a cause for concern.\r\nWe identified three computers in China being used to launch the Thrip attacks. Thrip’s motive is likely espionage\r\nand its targets include those in the communications, geospatial imaging, and defense sectors, both in the United\r\nStates and Southeast Asia.\r\nEye on the sky: Thrip’s targets\r\nPerhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator.\r\nThe attack group seemed to be particularly interested in the operational side of the company, looking for and\r\ninfecting computers running software that monitors and controls satellites. This suggests to us that Thrip’s motives\r\ngo beyond spying and may also include disruption.\r\nAnother target was an organization involved in geospatial imaging and mapping. Again, Thrip seemed to be\r\nmainly interested in the operational side of the company. It targeted computers running MapXtreme Geographic\r\nInformation System (GIS) software which is used for tasks such as developing custom geospatial applications or\r\nintegrating location-based data into other applications. It also targeted machines running Google Earth Server and\r\nGarmin imaging software.\r\nThe satellite operator wasn’t the only communications target Thrip was interested in. The group had also targeted\r\nthree different telecoms operators, all based in Southeast Asia. In all cases, based on the nature of the computers\r\ninfected by Thrip, it appeared that the telecoms companies themselves and not their customers were the targets of\r\nthese attacks.\r\nIn addition, there was a fourth target of interest, a defense contractor.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\r\nPage 2 of 5\n\nFigure 2. Thrip, spying on communications, mapping, and defense targets\r\nAttempting to hide in plain sight\r\nThrip uses a mixture of custom malware and living off the land tools to perform its attacks. The latter include:\r\nPsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used\r\nby the attackers to move laterally on the victim’s network.\r\nPowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse\r\ncompromised networks, and carry out reconnaissance.\r\nMimikatz: Freely available tool capable of changing privileges, exporting security certificates, and\r\nrecovering Windows passwords in plaintext.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\r\nPage 3 of 5\n\nWinSCP: Open source FTP client used to exfiltrate data from targeted organizations.\r\nLogMeIn: Cloud-based remote access software. It’s unclear whether the attackers gained unauthorized\r\naccess to the victim’s LogMeIn accounts or whether they created their own.\r\nAll of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate\r\nuses. For example, PowerShell is widely used within enterprises and the vast majority of scripts are legitimate.\r\nSimilarly, PsExec is frequently used by systems administrators. However, in this case, it was Thrip’s use of\r\nPsExec that drew our attention. Through advanced artificial intelligence and machine learning, TAA has trained\r\nitself to spot patterns of malicious activity. While PsExec itself may be innocuous, the way that it was being used\r\nhere triggered an alert by TAA. In short, Thrip’s attempts at camouflage blew its cover.\r\nWhile Thrip now makes heavy use of living off the land tactics, it also employs custom malware\r\n(Infostealer.Catchamas), particularly against computers of interest. Catchamas is a custom Trojan designed to steal\r\ninformation from an infected computer and contains additional features designed to avoid detection.\r\nHighly targeted espionage operation\r\nFrom the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger\r\npicture of a cyber espionage campaign originating from computers within China and targeting multiple\r\norganizations in the U.S. and Southeast Asia. Espionage is the group’s likely motive but given its interest in\r\ncompromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do\r\nso.\r\nProtection\r\nThe following protections are in place to protect customers against Thrip attacks:\r\nFile-based protection\r\nInfostealer.Catchamas\r\nHacktool.Mimikatz\r\nNetwork protection products\r\nMalware Analysis Appliance detects activity associated with Thrip\r\nCustomers with Webpulse-enabled products are protected against activity associated with Thrip\r\nThreat intelligence\r\nIn addition to file-based protection, customers of the DeepSight Intelligence Managed Adversary and Threat\r\nIntelligence (MATI) service have received reports on Thrip, which detail methods of detecting and thwarting\r\nactivities of this group.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\r\nPage 4 of 5\n\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
	],
	"report_names": [
		"thrip-hits-satellite-telecoms-defense-targets"
	],
	"threat_actors": [
		{
			"id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788",
			"created_at": "2022-10-25T15:50:23.722608Z",
			"updated_at": "2026-04-10T02:00:05.397432Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"Thrip"
			],
			"source_name": "MITRE:Thrip",
			"tools": [
				"PsExec",
				"Mimikatz",
				"Catchamas"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb",
			"created_at": "2023-01-06T13:46:38.793461Z",
			"updated_at": "2026-04-10T02:00:03.102807Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"G0076",
				"ATK78"
			],
			"source_name": "MISPGALAXY:Thrip",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434613,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/750dbdccb8b421341cf61ac3aef92fd48e2401a6.pdf",
		"text": "https://archive.orkl.eu/750dbdccb8b421341cf61ac3aef92fd48e2401a6.txt",
		"img": "https://archive.orkl.eu/750dbdccb8b421341cf61ac3aef92fd48e2401a6.jpg"
	}
}