{ "id": "ac4c3815-d3b4-44ca-a808-e829b49f0e61", "created_at": "2026-04-06T00:20:18.347644Z", "updated_at": "2026-04-10T03:34:57.52706Z", "deleted_at": null, "sha1_hash": "7d28e672783fefa2afb312037110267350380896", "title": "BlackTech, Circuit Panda, Radio Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70486, "plain_text": "BlackTech, Circuit Panda, Radio Panda\r\nArchived: 2026-04-05 22:00:25 UTC\r\nHome \u003e List all groups \u003e BlackTech, Circuit Panda, Radio Panda\r\n APT group: BlackTech, Circuit Panda, Radio Panda\r\nNames\r\nBlackTech (Trend Micro)\r\nCircuit Panda (CrowdStrike)\r\nRadio Panda (CrowdStrike)\r\nPalmerworm (Symantec)\r\nTEMP.Overboard (FireEye)\r\nT-APT-03 (Tencent)\r\nRed Djinn (PWC)\r\nManga Taurus (Palo Alto)\r\nEarth Hundun (Trend Micro)\r\nCanary Typhoon (Microsoft)\r\nG0098 (MITRE)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription\r\n(Trend Micro) BlackTech is a cyber espionage group operating against targets in\r\nEast Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on\r\nthe mutexes and domain names of some of their C\u0026C servers, BlackTech’s\r\ncampaigns are likely designed to steal their target’s technology.\r\nFollowing their activities and evolving tactics and techniques helped us uncover the\r\nproverbial red string of fate that connected three seemingly disparate campaigns:\r\nPLEAD, Shrouded Crossbow, and of late, Waterbear.\r\nObserved\r\nSectors: Construction, Financial, Government, Healthcare, Media, Technology.\r\nCountries: China, Hong Kong, Japan, Taiwan, USA.\r\nTools used\r\nBendyBear, BIFROST, Bluether, DRIGO, Flagpro, Gh0stTimes, IconDown,\r\nKIVARS, PLEAD, XBOW, Living off the Land.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8914b19b-9d8a-469f-8b95-37db9894e070\r\nPage 1 of 3\n\nOperations performed\n2010\nOperation “Shrouded Crossbow”\nThis campaign, first observed in 2010, is believed to be operated by a\nwell-funded group given how it appeared to have purchased the source\ncode of the BIFROST backdoor, which the operators enhanced and\ncreated other tools from. Shrouded Crossbow targeted privatized\nagencies and government contractors as well as enterprises in the\nconsumer electronics, computer, healthcare, and financial industries.\n2012\nOperation “PLEAD”\nPLEAD is an information theft campaign with a penchant for\nconfidential documents. Active since 2012, it has so far targeted\nTaiwanese government agencies and private organizations.\n2014\nOperation “Waterbear”\nWaterbear has actually been operating for a long time. The campaign’s\nname is based on its malware’s capability to equip additional functions\nremotely.\nJul 2018\nESET researchers have discovered a new malware campaign misusing\nstolen digital certificates.\nWe spotted this malware campaign when our systems marked several\nfiles as suspicious. Interestingly, the flagged files were digitally signed\nusing a valid D-Link Corporation code-signing certificate. The exact\nsame certificate had been used to sign non-malicious D-Link software;\ntherefore, the certificate was likely stolen.\nApr 2019\nAt the end of April 2019, ESET researchers utilizing ESET telemetry\nobserved multiple attempts to deploy Plead malware in an unusual\nway. Specifically, the Plead backdoor was created and executed by a\nlegitimate process named AsusWSPanel.exe. This process belongs to\nthe Windows client for a cloud storage service called ASUS\nWebStorage.\nDec 2019 […] in one of its recent campaigns, we’ve discovered a piece of\nWaterbear payload with a brand-new purpose: hiding its network\nbehaviors from a specific security product by API hooking techniques.\nIn our analysis, we have discovered that the security vendor is APAC-based, which is consistent with BlackTech’s targeted countries.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8914b19b-9d8a-469f-8b95-37db9894e070\nPage 2 of 3\n\n2020\nThe addition of a US target to this campaign suggests the group is\nexpanding campaigns to embrace a wider, more geographically diverse\nset of targets in their quest to steal information – although the full\nmotivations remain unclear.\nAug 2020\nBendyBear: Novel Chinese Shellcode Linked With Cyber Espionage\nGroup BlackTech\nOct 2020\nFlagpro: The new malware used by BlackTech\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8914b19b-9d8a-469f-8b95-37db9894e070\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8914b19b-9d8a-469f-8b95-37db9894e070\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8914b19b-9d8a-469f-8b95-37db9894e070" ], "report_names": [ "showcard.cgi?u=8914b19b-9d8a-469f-8b95-37db9894e070" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "c93a7f58-3f75-487c-9bd6-e705b73fc07f", "created_at": "2023-01-06T13:46:38.330916Z", "updated_at": "2026-04-10T02:00:02.931171Z", "deleted_at": null, "main_name": "RADIO PANDA", "aliases": [ "Shrouded Crossbow" ], "source_name": "MISPGALAXY:RADIO PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d28e672783fefa2afb312037110267350380896.pdf", "text": "https://archive.orkl.eu/7d28e672783fefa2afb312037110267350380896.txt", "img": "https://archive.orkl.eu/7d28e672783fefa2afb312037110267350380896.jpg" } }