{
	"id": "5f9b1014-a5d5-4df7-a61b-e073cccb4588",
	"created_at": "2026-04-06T00:07:11.727742Z",
	"updated_at": "2026-04-10T03:34:18.908877Z",
	"deleted_at": null,
	"sha1_hash": "8e7f950b05ab40bbec0caa913e43f719deda29b6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52347,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:43:07 UTC\r\n APT group: Lucky Cat\r\nNames Lucky Cat (Symantec)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2011\r\nDescription\r\n(Symantec) A series of attacks, targeting both Indian military research and south Asian shipping organizations,\r\ndemonstrate the minimum level of effort required to successfully compromise a target and steal sensitive informatio\r\nThe attackers use very simple malware, which required little development time or skills, in conjunction with freely\r\navailable Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum retu\r\non their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled\r\norder to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A\r\nmalicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored\r\nemails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call fo\r\npapers for a conference (CFP).\r\nThe vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly militar\r\nresearch and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to\r\nhave a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the\r\nattackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were\r\nobviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP\r\naddresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China.\r\nThe remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are\r\nbeing used as a VPN, probably in an attempt to render the attackers anonymous.\r\nThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused,\r\nemploying the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or\r\ncomplicated threats, instead they rely on effective social engineering and lax security measures on the part of the\r\nvictims.\r\nObserved\r\nSectors: Aerospace, Defense, Engineering, Shipping and Logistics and Tibetan activists.\r\nCountries: India, Japan, Malaysia, Tibet.\r\nTools used Comfoo, Lucky Cat, Sojax, WMI Ghost.\r\nInformation\r\n\u003chttps://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pd\r\n\u003chttps://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5472bd65-7a33-4ae8-9918-79509d45f2df\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5472bd65-7a33-4ae8-9918-79509d45f2df\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5472bd65-7a33-4ae8-9918-79509d45f2df\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5472bd65-7a33-4ae8-9918-79509d45f2df"
	],
	"report_names": [
		"showcard.cgi?u=5472bd65-7a33-4ae8-9918-79509d45f2df"
	],
	"threat_actors": [
		{
			"id": "9792e41f-4165-474b-99fa-e74ec332bd87",
			"created_at": "2023-01-06T13:46:38.986789Z",
			"updated_at": "2026-04-10T02:00:03.172308Z",
			"deleted_at": null,
			"main_name": "Lucky Cat",
			"aliases": [
				"TA413",
				"White Dev 9"
			],
			"source_name": "MISPGALAXY:Lucky Cat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1a651080-cb2f-49bb-87cb-b9c6f6f99ce9",
			"created_at": "2022-10-25T16:07:23.809467Z",
			"updated_at": "2026-04-10T02:00:04.756067Z",
			"deleted_at": null,
			"main_name": "Lucky Cat",
			"aliases": [],
			"source_name": "ETDA:Lucky Cat",
			"tools": [
				"Comfoo",
				"Comfoo RAT",
				"Lucky Cat",
				"LuckyCat",
				"Sojax",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434031,
	"ts_updated_at": 1775792058,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e7f950b05ab40bbec0caa913e43f719deda29b6.pdf",
		"text": "https://archive.orkl.eu/8e7f950b05ab40bbec0caa913e43f719deda29b6.txt",
		"img": "https://archive.orkl.eu/8e7f950b05ab40bbec0caa913e43f719deda29b6.jpg"
	}
}