{ "id": "eba77b97-381e-4000-b661-a35bffb51e8e", "created_at": "2026-04-06T00:15:30.991909Z", "updated_at": "2026-04-10T03:25:23.986437Z", "deleted_at": null, "sha1_hash": "823c80950c0eb92593a3da7dd89c80795f885751", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42359, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:45:29 UTC\n APT group: AtlasCross\nNames AtlasCross (NSFOCUS)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2023\nDescription\n(NSFOCUS) After an in-depth study of the attack process, NSFOCUS Security Labs found\nthat this APT attacker is quite different from known attacker characteristics in terms of\nexecution flow, attack technology stack, attack tools, implementation details, attack objectives,\nbehavior tendency and other main attribution indicators. The technical level and cautious\nattitude shown by this attacker during this activity are also worthy of attention.\nTherefore, NSFOCUS Security Labs identified the orchestrator of this event as a new attacker\nand named it AtlasCross.\nNSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of\ndevelopment technology and attack strategy through an in-depth analysis of its attack metrics.\nAt this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing\non targeted attacks against specific hosts within a network domain. However, the attack\nprocesses they employ are highly robust and mature. NSFOCUS Security Labs deduce that\nthis attacker is highly likely to deploy this attack process into larger-scale network attack\noperations.\nThe organizational origin of the AtlasCross attacker cannot be determined.\nObserved\nTools used AtlasAgent, DangerAds.\nInformation\nLast change to this card: 12 October 2023\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=44cf4c8d-c5b1-467a-a474-ed16373f0881\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=44cf4c8d-c5b1-467a-a474-ed16373f0881\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=44cf4c8d-c5b1-467a-a474-ed16373f0881\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=44cf4c8d-c5b1-467a-a474-ed16373f0881" ], "report_names": [ "showcard.cgi?u=44cf4c8d-c5b1-467a-a474-ed16373f0881" ], "threat_actors": [ { "id": "6ef06641-1478-4225-93a5-4f2c3bc04f76", "created_at": "2023-10-12T02:00:07.12827Z", "updated_at": "2026-04-10T02:00:03.376016Z", "deleted_at": null, "main_name": "AtlasCross", "aliases": [], "source_name": "MISPGALAXY:AtlasCross", "tools": [ "DangerAds", "AtlasAgent" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "886f8261-e6e3-49c2-a89b-f3a333e28dd5", "created_at": "2023-10-14T02:03:14.040846Z", "updated_at": "2026-04-10T02:00:04.566889Z", "deleted_at": null, "main_name": "AtlasCross", "aliases": [], "source_name": "ETDA:AtlasCross", "tools": [ "AtlasAgent", "DangerAds" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434530, "ts_updated_at": 1775791523, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/823c80950c0eb92593a3da7dd89c80795f885751.pdf", "text": "https://archive.orkl.eu/823c80950c0eb92593a3da7dd89c80795f885751.txt", "img": "https://archive.orkl.eu/823c80950c0eb92593a3da7dd89c80795f885751.jpg" } }