{ "id": "501ee7c2-6eef-40b9-91d4-1e8b2badb786", "created_at": "2026-04-06T00:07:05.486186Z", "updated_at": "2026-04-10T03:37:50.743321Z", "deleted_at": null, "sha1_hash": "8368d3362d356c1bccd1b7a71b0dcda1397e9447", "title": "Snake Wine - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49074, "plain_text": "Snake Wine - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:39:40 UTC\r\n APT group: Snake Wine\r\nNames Snake Wine (Cylance)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\n(Cylance) While investigating some of the smaller name servers that Sofacy, APT 28, Fancy\r\nBear, Sednit routinely use to host their infrastructure, Cylance discovered another prolonged\r\ncampaign that appeared to exclusively target Japanese companies and individuals that began\r\naround August 2016. The later registration style was eerily close to previously registered\r\nAPT28 domains, however, the malware used in the attacks did not seem to line up at all.\r\nDuring the course of our investigation, JPCERT published this analysis of one of the group’s\r\nbackdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\r\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new\r\ntactics in order to establish footholds inside victim environments. The exclusive interest in\r\nJapanese government, education, and commerce will likely continue into the future as the\r\ngroup is just starting to build and utilize their existing current attack infrastructure.\r\nObserved\r\nSectors: Education, Government and Commerce.\r\nCountries: Japan.\r\nTools used ChChes, Tofu Backdoor.\r\nInformation\r\n\u003chttps://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html\u003e\r\n\u003chttps://www.jpcert.or.jp/magazine/acreport-ChChes.html\u003e\r\nLast change to this card: 15 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5550b040-3ff3-436f-a7d2-81740a987981\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5550b040-3ff3-436f-a7d2-81740a987981\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5550b040-3ff3-436f-a7d2-81740a987981" ], "report_names": [ "showcard.cgi?u=5550b040-3ff3-436f-a7d2-81740a987981" ], "threat_actors": [ { "id": "42a7c8ec-e6f6-4460-9ad4-0ca2d3210135", "created_at": "2022-10-25T16:07:24.203518Z", "updated_at": "2026-04-10T02:00:04.898194Z", "deleted_at": null, "main_name": "Snake Wine", "aliases": [], "source_name": "ETDA:Snake Wine", "tools": [ "ChChes", "HAYMAKER", "Ham Backdoor", "Tofu Backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029f7e65-fec8-481e-a7ef-9b5e53ef2371", "created_at": "2023-01-06T13:46:38.674255Z", "updated_at": "2026-04-10T02:00:03.063656Z", "deleted_at": null, "main_name": "Snake Wine", "aliases": [], "source_name": "MISPGALAXY:Snake Wine", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434025, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8368d3362d356c1bccd1b7a71b0dcda1397e9447.pdf", "text": "https://archive.orkl.eu/8368d3362d356c1bccd1b7a71b0dcda1397e9447.txt", "img": "https://archive.orkl.eu/8368d3362d356c1bccd1b7a71b0dcda1397e9447.jpg" } }