{ "id": "c86fae18-468e-46da-87f7-61c8087a5fc5", "created_at": "2026-04-06T00:13:07.985616Z", "updated_at": "2026-04-10T03:37:21.603305Z", "deleted_at": null, "sha1_hash": "8bf8e17c7d06cf58dfe8592c4ceaad16ba9d5e03", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63931, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:10:12 UTC\r\n APT group: TA428\r\nNames\r\nTA428 (Proofpoint)\r\nPanda (NTT)\r\nThunderCats (SentinelLabs)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(Proofpoint) Proofpoint researchers initially identified email campaigns with malicious\r\nRTF document attachments targeting East Asian government agencies in March 2019.\r\nThese campaigns originated from adversary-operated free email sender accounts at\r\nyahoo[.]co[.].jp and yahoo[.]com. Sender addresses often imitated common names\r\nfound in the languages of targeted entities. Spear phishing emails included malicious\r\n.doc attachments that were actually RTF files saved with .doc file extensions.\r\nThe lures used in the subjects, attachment names, and attachment content in several\r\ncases utilized information technology themes specific to Asia such as governmental or\r\npublic training documents relating to IT. On one specific occasion an email utilized the\r\nsubject “ITU Asia-Pacific Online CoE Training Course on ‘Conformity \u0026\r\nInteroperability in 5G’ for the Asia-Pacific Region, 15-26 April 2019” and the\r\nattachment name “190315_annex 1 online_course_agenda_coei_c\u0026i.doc”. The\r\nconference referenced in the lure was an actual event likely selected due to its\r\nrelevance to potential victims. This is significant as countries in the APAC region\r\ncontinue to adopt Chinese 5G technology in government as well as heavy equipment\r\nindustries.\r\nThis actor worked together with Emissary Panda, APT 27, LuckyMouse, Bronze Union\r\nin Operation StealthyTrident.\r\nObserved\r\nSectors: Government and industrial plants, design bureaus and research institutes.\r\nCountries: Afghanistan, Belarus, Mongolia, Russia, Ukraine and East Asia.\r\nTools used\r\n8.t Dropper, Albaniiutas, Cotx RAT, CoughingDown, PhantomNet, PlugX, Poison Ivy,\r\nTManger.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55f64f67-e6f0-4a22-8ba8-110c22f6c9c5\r\nPage 1 of 3\n\nOperations performed\nMar 2019\nOperation “LagTime IT”\nAttackers relied on Microsoft Equation Editor exploit CVE-2018-0798\nto deliver a custom malware that Proofpoint researchers have dubbed\nCotx RAT.\nAdditionally, this APT group utilizes Poison Ivy payloads that share\noverlapping command and control (C\u0026C) infrastructure with the newly\nidentified Cotx campaigns.\nJun 2020\nOperation “StealthyTrident”\nESET researchers discovered that chat software called Able Desktop,\npart of a business management suite popular in Mongolia and used by\n430 government agencies in Mongolia.\nDec 2020\nChina-linked TA428 Continues to Target Russia and Mongolia IT\nCompanies\nMay 2021\nThunderCats Hack the FSB\nJan 2022\nTargeted attack on industrial enterprises and public institutions\nInformation\nLast change to this card: 12 September 2022\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55f64f67-e6f0-4a22-8ba8-110c22f6c9c5\nPage 2 of 3\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55f64f67-e6f0-4a22-8ba8-110c22f6c9c5\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55f64f67-e6f0-4a22-8ba8-110c22f6c9c5\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55f64f67-e6f0-4a22-8ba8-110c22f6c9c5" ], "report_names": [ "showcard.cgi?u=55f64f67-e6f0-4a22-8ba8-110c22f6c9c5" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "115ee14e-a122-47a4-bef7-5d3668cda109", "created_at": "2025-01-10T02:00:03.15179Z", "updated_at": "2026-04-10T02:00:03.800179Z", "deleted_at": null, "main_name": "CoughingDown", "aliases": [], "source_name": "MISPGALAXY:CoughingDown", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434387, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8bf8e17c7d06cf58dfe8592c4ceaad16ba9d5e03.pdf", "text": "https://archive.orkl.eu/8bf8e17c7d06cf58dfe8592c4ceaad16ba9d5e03.txt", "img": "https://archive.orkl.eu/8bf8e17c7d06cf58dfe8592c4ceaad16ba9d5e03.jpg" } }