{ "id": "742adc44-8027-4696-acca-407f780b5c27", "created_at": "2026-04-06T00:06:19.407856Z", "updated_at": "2026-04-10T03:35:44.184487Z", "deleted_at": null, "sha1_hash": "8d41bb3caafc4cfc1d102712d3550e7b748077ba", "title": "APT 5, Keyhole Panda - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54875, "plain_text": "APT 5, Keyhole Panda - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 20:31:53 UTC\r\nHome \u003e List all groups \u003e APT 5, Keyhole Panda\r\n APT group: APT 5, Keyhole Panda\r\nNames\r\nAPT 5 (FireEye)\r\nKeyhole Panda (CrowdStrike)\r\nTEMP.Bottle (iSight)\r\nBronze Fleetwood (SecureWorks)\r\nTG-2754 (SecureWorks)\r\nPoisoned Flight (Kaspersky)\r\nManganese (Microsoft)\r\nMulberry Typhoon (Microsoft)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2007\r\nDescription (FireEye) We have observed one APT group, which we call APT5, particularly\r\nfocused on telecommunications and technology companies. More than half of the\r\norganizations we have observed being targeted or breached by APT5 operate in these\r\nsectors. Several times, APT5 has targeted organizations and personnel based in\r\nSoutheast Asia.\r\nAPT5 has been active since at least 2007. It appears to be a large threat group that\r\nconsists of several subgroups, often with distinct tactics and infrastructure. APT5 has\r\ntargeted or breached organizations across multiple industries, but its focus appears to\r\nbe on telecommunications and technology companies, especially information about\r\nsatellite communications.\r\nAPT5 targeted the network of an electronics firm that sells products for both\r\nindustrial and military applications. The group subsequently stole communications\r\nrelated to the firm’s business relationship with a national military, including\r\ninventories and memoranda about specific products they provided.\r\nIn one case in late 2014, APT5 breached the network of an international\r\ntelecommunications company. The group used malware with keylogging capabilities\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ac14c97f-10ba-4b03-8a27-073682b83780\r\nPage 1 of 2\n\nto monitor the computer of an executive who manages the company’s relationships\nwith other telecommunications companies.\nThere is some overlap with PittyTiger, Pitty Panda.\nObserved\nSectors: Defense, High-Tech, Industrial, Technology, Telecommunications.\nCountries: Southeast Asia.\nTools used LEOUNCIA.\nOperations performed Aug 2019\nA group of Chinese state-sponsored hackers is targeting enterprise\nVPN servers from Fortinet and Pulse Secure after details about\nsecurity flaws in both products became public knowledge last month.\nInformation\nLast change to this card: 26 April 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ac14c97f-10ba-4b03-8a27-073682b83780\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ac14c97f-10ba-4b03-8a27-073682b83780\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ac14c97f-10ba-4b03-8a27-073682b83780" ], "report_names": [ "showcard.cgi?u=ac14c97f-10ba-4b03-8a27-073682b83780" ], "threat_actors": [ { "id": "1b77c737-ab1f-45e9-ae50-996741d94ab2", "created_at": "2022-10-25T15:50:23.842907Z", "updated_at": "2026-04-10T02:00:05.401907Z", "deleted_at": null, "main_name": "PittyTiger", "aliases": [ "PittyTiger" ], "source_name": "MITRE:PittyTiger", "tools": [ "gh0st RAT", "Lurid", "gsecdump", "PoisonIvy", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6241b9be-9c59-4164-a7f2-c45844b14a56", "created_at": "2023-01-06T13:46:38.321506Z", "updated_at": "2026-04-10T02:00:02.926657Z", "deleted_at": null, "main_name": "APT24", "aliases": [ "PITTY PANDA", "G0011", "Temp.Pittytiger" ], "source_name": "MISPGALAXY:APT24", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "37941e7c-1966-4afa-b116-753e19e72808", "created_at": "2022-10-25T16:07:23.321195Z", "updated_at": "2026-04-10T02:00:04.540299Z", "deleted_at": null, "main_name": "APT 5", "aliases": [ "APT 5", "Bronze Fleetwood", "Keyhole Panda", "Mulberry Typhoon", "Poisoned Flight", "TEMP.Bottle", "TG-2754" ], "source_name": "ETDA:APT 5", "tools": [ "LEOUNCIA", "shoco" ], "source_id": "ETDA", "reports": null }, { "id": "c2ef6b18-12c4-4879-a408-be4c9b03eb6e", "created_at": "2022-10-25T16:07:24.055115Z", "updated_at": "2026-04-10T02:00:04.852387Z", "deleted_at": null, "main_name": "PittyTiger", "aliases": [ "G0011", "Operation The Eye of the Tiger", "Pitty Panda", "PittyTiger" ], "source_name": "ETDA:PittyTiger", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Enfal", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Leo RAT", "Lurid", "Mimikatz", "Moudour", "Mydoor", "PCRat", "Paladin", "Paladin RAT", "Pitty", "PittyTiger RAT", "Poison Ivy", "ReRol", "SPIVY", "gsecdump", "pgift", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433979, "ts_updated_at": 1775792144, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d41bb3caafc4cfc1d102712d3550e7b748077ba.pdf", "text": "https://archive.orkl.eu/8d41bb3caafc4cfc1d102712d3550e7b748077ba.txt", "img": "https://archive.orkl.eu/8d41bb3caafc4cfc1d102712d3550e7b748077ba.jpg" } }