{ "id": "177156ad-e96b-457a-a6d9-bf99befdef85", "created_at": "2026-04-06T00:08:00.502565Z", "updated_at": "2026-04-10T13:11:31.179775Z", "deleted_at": null, "sha1_hash": "92a583cd6e1e72a3d23de1d3824b34505e0b497a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48566, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:08:00 UTC\n APT group: LuminousMoth\nNames LuminousMoth (Kaspersky)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2020\nDescription\n(Kaspersky) APT actors are known for the frequently targeted nature of their attacks.\nTypically, they will handpick a set of targets that in turn are handled with almost surgical\nprecision, with infection vectors, malicious implants and payloads being tailored to the\nvictims’ identities or environment. It’s not often we observe a large-scale attack conducted by\nactors fitting this profile, usually due to such attacks being noisy, and thus putting the\nunderlying operation at risk of being compromised by security products or researchers.\nWe recently came across unusual APT activity that exhibits the latter trait – it was detected in\nhigh volumes, albeit most likely aimed at a few targets of interest. This large-scale and highly\nactive campaign was observed in South East Asia and dates back to at least October 2020, with\nthe most recent attacks seen around the time of writing. Most of the early sightings were in\nMyanmar, but it now appears the attackers are much more active in the Philippines, where\nthere are more than 10 times as many known targets.\nFurther analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows\nan affinity to the Mustang Panda, Bronze President (HoneyMyte) group. This is evident in\nboth network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt\nStrike Beacon as a payload. In fact, our colleagues at ESET and Avast recently assessed that\nHoneyMyte was active in the same region. The proximity in time and common occurrence in\nMyanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been\nborrowed for the activity of LuminousMoth.\nObserved Countries: Myanmar, Philippines.\nTools used Cobalt Strike.\nInformation Last change to this card: 09 August 2021\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2198ddbe-ccb6-4cfb-898f-3757226c1482\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2198ddbe-ccb6-4cfb-898f-3757226c1482\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2198ddbe-ccb6-4cfb-898f-3757226c1482\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2198ddbe-ccb6-4cfb-898f-3757226c1482" ], "report_names": [ "showcard.cgi?u=2198ddbe-ccb6-4cfb-898f-3757226c1482" ], "threat_actors": [ { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/92a583cd6e1e72a3d23de1d3824b34505e0b497a.pdf", "text": "https://archive.orkl.eu/92a583cd6e1e72a3d23de1d3824b34505e0b497a.txt", "img": "https://archive.orkl.eu/92a583cd6e1e72a3d23de1d3824b34505e0b497a.jpg" } }