{
	"id": "7ea1709d-f07b-4967-9022-cfcf34b8f9f4",
	"created_at": "2026-04-06T00:10:06.751631Z",
	"updated_at": "2026-04-10T03:29:58.972948Z",
	"deleted_at": null,
	"sha1_hash": "7bb24f7a66c2f3d001a8b88a1e522e8d0eb080d3",
	"title": "Nightshade Panda, APT 9, Group 27",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58686,
	"plain_text": "Nightshade Panda, APT 9, Group 27\r\nArchived: 2026-04-05 21:21:10 UTC\r\nHome \u003e List all groups \u003e Nightshade Panda, APT 9, Group 27\r\n APT group: Nightshade Panda, APT 9, Group 27\r\nNames\r\nNightshade Panda (CrowdStrike)\r\nAPT 9 (Mandiant)\r\nGroup 27 (ASERT)\r\nFlowerLady (Context)\r\nFlowerShow (Context)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(Softpedia) Arbor’s ASERT team is now reporting that, after looking deeper at that\r\nparticular campaign, and by exposing a new trail in the group’s activities, they\r\nmanaged to identify a new RAT that was undetectable at that time by most antivirus\r\nvendors.\r\nNamed Trochilus, this new RAT was part of Group 27’s malware portfolio that\r\nincluded six other malware strains, all served together or in different combinations,\r\nbased on the data that needed to be stolen from each victim.\r\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts,\r\nincluded two different PlugX versions, two different Trochilus RAT versions, one\r\nversion of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one\r\nunknown piece of malware, which the team has not entirely decloaked just yet.\r\nObserved\r\nSectors: Energy, Government, Media, Utilities.\r\nCountries: Myanmar, Thailand, USA and Europe.\r\nTools used\r\n3102 RAT, 9002 RAT, EvilGrab RAT, MoonWind RAT, PlugX, Poison Ivy,\r\nTrochilus RAT.\r\nOperations performed May 2015 Operation “Seven Pointed Dagger”\r\nDuring that campaign, the threat actor identified as Group 27 used\r\nwatering hole attacks on official Myanmar government websites to\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8a0bdb6e-8aff-478b-a9bc-29732ec3e99c\r\nPage 1 of 2\n\ninfect unsuspecting users with the PlugX malware (an RAT) when\naccessing information on the upcoming Myanmar elections.\nMay 2015\nChinese Actors Use ‘3102’ Malware in Attacks on US Government\nand EU Media\nSep 2016\nFrom September 2016 through late November 2016, a threat actor\ngroup used both the Trochilus RAT and a newly idenfied RAT we’ve\nnamed MoonWind to target organizations in Thailand, including a\nutility organization. We chose the name ‘MoonWind’ based on\ndebugging strings we saw within the samples, as well as the compiler\nused to generate the samples. The attackers compromised two\nlegitimate Thai websites to host the malware, which is a tactic this\ngroup has used in the past.\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8a0bdb6e-8aff-478b-a9bc-29732ec3e99c\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8a0bdb6e-8aff-478b-a9bc-29732ec3e99c\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8a0bdb6e-8aff-478b-a9bc-29732ec3e99c"
	],
	"report_names": [
		"showcard.cgi?u=8a0bdb6e-8aff-478b-a9bc-29732ec3e99c"
	],
	"threat_actors": [
		{
			"id": "699b7efc-322d-489d-818d-823fac028124",
			"created_at": "2023-01-06T13:46:39.404825Z",
			"updated_at": "2026-04-10T02:00:03.315524Z",
			"deleted_at": null,
			"main_name": "APT9",
			"aliases": [
				"NIGHTSHADE PANDA",
				"Red Pegasus",
				"Group 27"
			],
			"source_name": "MISPGALAXY:APT9",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e79324a2-bdae-4dc5-9421-578a59045288",
			"created_at": "2022-10-25T16:07:23.906087Z",
			"updated_at": "2026-04-10T02:00:04.784657Z",
			"deleted_at": null,
			"main_name": "Nightshade Panda",
			"aliases": [
				"APT 9",
				"FlowerLady",
				"FlowerShow",
				"Group 27",
				"Nightshade Panda",
				"Operation Seven Pointed Dagger"
			],
			"source_name": "ETDA:Nightshade Panda",
			"tools": [
				"3102 RAT",
				"9002 RAT",
				"Agent.dhwf",
				"BKDR_EVILOGE",
				"BKDR_HGDER",
				"BKDR_NVICM",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"EvilGrab",
				"EvilGrab RAT",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"MoonWind",
				"MoonWind RAT",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Vidgrab",
				"Wmonder",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775791798,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7bb24f7a66c2f3d001a8b88a1e522e8d0eb080d3.pdf",
		"text": "https://archive.orkl.eu/7bb24f7a66c2f3d001a8b88a1e522e8d0eb080d3.txt",
		"img": "https://archive.orkl.eu/7bb24f7a66c2f3d001a8b88a1e522e8d0eb080d3.jpg"
	}
}