{ "id": "424917b0-06a8-42a2-a420-21226b1c5f95", "created_at": "2026-04-06T00:15:18.831421Z", "updated_at": "2026-04-10T13:11:41.503625Z", "deleted_at": null, "sha1_hash": "8c079c1961821a57fdeccc96c0dda559c41288c6", "title": "28 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47192, "plain_text": "28 - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:48:26 UTC\n APT group: TAG-28\nNames TAG-28 (Recorded Future)\nCountry China\nSponsor State-sponsored\nMotivation Information theft and espionage\nFirst seen 2021\nDescription\n(Recorded Future) We have identified further suspected intrusions targeting the Indian media\nconglomerate Bennett Coleman And Co Ltd (BCCL), commonly known as “The Times\nGroup”; the Unique Identification Authority of India (UIDAI); and the Madhya Pradesh Police\ndepartment. The UIDAI is the Indian government agency responsible for the national\nidentification database, more commonly called “Aadhaar”, which contains private biometric\ninformation for over 1 billion Indian citizens. These intrusions were conducted by an activity\ngroup we track using a temporary designation, TAG-28.\nObserved\nSectors: Government, Media.\nCountries: India.\nTools used Cobalt Strike, Winnti.\nInformation\nLast change to this card: 02 November 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=43da3049-5058-42f7-92f5-cbb11a106278\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=43da3049-5058-42f7-92f5-cbb11a106278\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=43da3049-5058-42f7-92f5-cbb11a106278" ], "report_names": [ "showcard.cgi?u=43da3049-5058-42f7-92f5-cbb11a106278" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "acd409e4-7c55-4110-a441-f3ecf6d20354", "created_at": "2024-01-23T13:22:35.073924Z", "updated_at": "2026-04-10T02:00:03.518289Z", "deleted_at": null, "main_name": "TAG-28", "aliases": [], "source_name": "MISPGALAXY:TAG-28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6cf5f006-5ed7-4a00-8103-1781bad5a5e1", "created_at": "2022-10-25T16:07:24.294829Z", "updated_at": "2026-04-10T02:00:04.925591Z", "deleted_at": null, "main_name": "TAG-28", "aliases": [], "source_name": "ETDA:TAG-28", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c079c1961821a57fdeccc96c0dda559c41288c6.pdf", "text": "https://archive.orkl.eu/8c079c1961821a57fdeccc96c0dda559c41288c6.txt", "img": "https://archive.orkl.eu/8c079c1961821a57fdeccc96c0dda559c41288c6.jpg" } }