{ "id": "efe59f63-c91c-461b-a266-4d4249fc4fbe", "created_at": "2026-04-06T00:19:35.031556Z", "updated_at": "2026-04-10T03:35:34.374766Z", "deleted_at": null, "sha1_hash": "7aeac4066e4800a3c93e693785d28b6fa72857f7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61953, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:51:09 UTC\r\n APT group: Platinum\r\nNames\r\nPlatinum (Microsoft)\r\nTwoForOne (FireEye)\r\nATK 33 (Thales)\r\nG0068 (MITRE)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2009\r\nDescription\r\n(Microsoft) Platinum has been targeting its victims since at least as early as 2009, and may have\r\nbeen active for several years prior. Its activities are distinctly different not only from those\r\ntypically seen in untargeted attacks, but from many targeted attacks as well. A large share of\r\ntargeted attacks can be characterized as opportunistic: the activity group changes its target\r\nprofiles and attack geographies based on geopolitical seasons, and may attack institutions all over\r\nthe world. Like many such groups, Platinum seeks to steal sensitive intellectual property related\r\nto government interests, but its range of preferred targets is consistently limited to specific\r\ngovernmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and\r\ntelecommunication providers in South and Southeast Asia. The group’s persistent use of spear-phishing tactics (phishing attempts aimed at specific individuals) and access to previously\r\nundiscovered zero-day exploits have made it a highly resilient threat.\r\nObserved\r\nSectors: Defense, Financial, Government, Telecommunications and Intelligence agencies.\r\nCountries: China, India, Indonesia, Malaysia, Singapore, Thailand, Vietnam.\r\nTools used\r\nadbupd, AMTsol, DvDupdate.dll, JPIN, psinstrc.ps1, RedPepper, RedSalt, Titanium, Living off\r\nthe Land.\r\nOperations performed\r\n2017\r\nSince the 2016 publication, Microsoft has come across an evolution of\r\nPLATINUM’s file-transfer tool, one that uses the Intel Active Management\r\nTechnology (AMT) Serial-over-LAN (SOL) channel for communication. This\r\nchannel works independently of the operating system (OS), rendering any\r\ncommunication over it invisible to firewall and network monitoring applications\r\nrunning on the host device. Until this incident, no malware had been discovered\r\nmisusing the AMT SOL feature for communication.\r\n\u003chttps://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility\u003e\r\nMid 2017 Operation “EasternRoppels”\r\nIn the middle of 2017, Kaspersky Lab experts discovered a new malicious threat\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=69d35f6f-9bd8-4d36-b120-2b563ef06841\r\nPage 1 of 2\n\nthat is believed to be related to the famous PLATINUM APT group, which had been\nwidely regarded as inactive. They named the campaign ‘EasternRoppels’.\nNov 2019\nDuring recent analysis we discovered Platinum using a new backdoor that we call\nTitanium (named after a password to one of the self-executable archives). Titanium\nis the final result of a sequence of dropping, downloading and installing stages.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=69d35f6f-9bd8-4d36-b120-2b563ef06841\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=69d35f6f-9bd8-4d36-b120-2b563ef06841\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=69d35f6f-9bd8-4d36-b120-2b563ef06841" ], "report_names": [ "showcard.cgi?u=69d35f6f-9bd8-4d36-b120-2b563ef06841" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434775, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7aeac4066e4800a3c93e693785d28b6fa72857f7.pdf", "text": "https://archive.orkl.eu/7aeac4066e4800a3c93e693785d28b6fa72857f7.txt", "img": "https://archive.orkl.eu/7aeac4066e4800a3c93e693785d28b6fa72857f7.jpg" } }