{ "id": "9e177fe8-1215-4bbe-97e8-5e7de3097020", "created_at": "2026-04-06T00:15:52.378807Z", "updated_at": "2026-04-10T03:38:06.236194Z", "deleted_at": null, "sha1_hash": "97ff0d156700bc1bcf1376cfd8fdd7261bac0e26", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94637, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 11:38:18 UTC\r\n APT group: DarkHotel\r\nNames\r\nDarkHotel (Kaspersky)\r\nAPT-C-06 (Qihoo 360)\r\nSIG25 (NSA)\r\nDubnium (Microsoft)\r\nFallout Team (FireEye)\r\nShadow Crane (CrowdStrike)\r\nCTG-1948 (SecureWorks)\r\nTungsten Bridge (SecureWorks)\r\nATK 52 (Thales)\r\nHigaisa (Tencent)\r\nT-APT-02 (Tencent)\r\nLuder (?)\r\nZigzag Hail (Microsoft)\r\nTieOnJoe (?)\r\nPurple Pygmy (PWC)\r\nG0012 (MITRE)\r\nG0126 (MITRE)\r\nCountry South Korea\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2007\r\nDescription (SecurityWeek) The activities of the DarkHotel advanced persistent threat (APT) actor came to light\r\nin November 2014, when Kaspersky published a report detailing a sophisticated cyberespionage\r\ncampaign targeting business travelers in the Asia-Pacific region. The group has been around for\r\nnearly a decade and some researchers believe its members are Korean speakers.\r\nThe attackers targeted their victims using several methods, including through their hotel’s Wi-Fi,\r\nzero-day exploits and peer-to-peer (P2P) file sharing websites. Nearly one year later, the threat group\r\nwas observed using new attack techniques and an exploit leaked from Italian spyware maker Hacking\r\nTeam.\r\nDarkHotel victims have been spotted in several countries, including North Korea, Russia, South\r\nKorea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia\r\nand Germany. Up until recently, the attacks appeared to focus on company executives, researchers\r\nand development personnel from sectors such as defense industrial base, military, energy,\r\ngovernment, NGOs, electronics manufacturing, pharmaceutical, and medical.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=142dc639-1360-4a2d-a839-11e62ca724e4\r\nPage 1 of 4\n\nIn more recent DarkHotel attacks it has dubbed “Inexsmar,” security firm Bitdefender said the\nhackers targeted political figures, and they appeared to be using some new methods.\nObserved\nSectors: Defense, Energy, Government, Healthcare, Hospitality, NGOs, Pharmaceutical, Research,\nTechnology and Chinese institutions abroad.\nCountries: Afghanistan, Armenia, Bangladesh, Belgium, China, Ethiopia, Germany, Greece, Hong\nKong, India, Indonesia, Malaysia, Ireland, Israel, Italy, Japan, Kazakhstan, Kyrgyzstan, Lebanon,\nMalaysia, Mexico, Mozambique, North Korea, Pakistan, Philippines, Russia, Saudi Arabia, Serbia,\nSingapore, South Korea, Taiwan, Tajikistan, Thailand, Turkey, UAE, UK, USA, Vietnam and others.\nTools used\nAsruex, DarkHotel, DmaUp3.exe, GreezeBackdoor, Karba, msieckc.exe, Nemim, Pioneer, Ramsay,\nRetro, Tapaoux and various 0-days from the Hacking Team breach.\nOperations performed\n2010\nOperation “DarkHotel”\nTarget: The travelers are often top executives from a variety of industries doing\nbusiness and outsourcing in the APAC region. Targets have included CEOs, senior vice\npresidents, sales and marketing directors and top R\u0026D staff.\nMethod: spear-phishing targets with highly advanced Flash zero-day exploits that\neffectively evade the latest Windows and Adobe defenses, and yet they also imprecisely\nspread among large numbers of vague targets with peer-to-peer spreading tactics.\nMoreover, this crew’s most unusual characteristic is that for several years the Darkhotel\nAPT has maintained a capability to use hotel networks to follow and hit selected targets\nas they travel around the world.\n2015\nDarkhotel’s attacks in 2015\nDec 2015\nOperation “Daybreak”\nMethod: Uses Flash zero-day exploit for CVE-2015-8651.\nNote: not the same operation as Reaper, APT 37, Ricochet Chollima, ScarCruft’s\nOperation “Daybreak”.\nSep 2016\nOperation “Inexsmar”\nTarget: seems to be used in a campaign that targets political figures rather than the usual\ncorporate research and development personnel, CEOs and other senior corporate\nofficials.\nMethod: This attack uses a new payload delivery mechanism rather than the\nconsecrated zero-day exploitation techniques, blending social engineering with a\nrelatively complex Trojan to infect its selected pool of victims.\nApr 2018\nAnalysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted\nattack\nAug 2018 Darkhotel APT is back: Zero-day vulnerability in Microsoft VBScript is exploited\n\nmicrosoft-vbscript-is-exploited/\u003e\nJan 2020\nDarkhotel uses a new Zero-day vulnerability in the Internet Explorer scripting engine\nMar 2020\nOn March 15, 2020, ATR identified a malicious .lnk file that utilizes an infection chain\nsimilar to other known APT groups. This campaign was found to use C2 infrastructure\nthat overlaps with the Korea-based APT group, Higaisia. The lure document, dropped\nby the .lnk file, was downloaded from the World Health Organization website, and is\nlikely being used to target English-speaking individuals and entities.\nMar 2020\nSince March this year, more than 200 VPN servers have been compromised and many\nChinese institutions abroad were under attack. In early April, the attack spread to\ngovernment agencies in Beijing and Shanghai.\nMay 2020\nRamsay: A cyber-spionage toolkit tailored for air-apped networks\nMay 2020\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for\ncreating a multi-stage attack that consists of several malicious scripts, payloads and\ndecoy PDF documents.\nMay 2020\nOperation “The Gh0st Remains the Same”\nIn this engagement, the victims received a compressed RAR folder that contained\ntrojanized files. If the malicious files were engaged, they displayed decoy web pages\nassociated with the software company “Zeplin”.\nMay 2020\nOperation “PowerFall”\nIn May 2020, Kaspersky technologies prevented an attack on a South Korean company\nby a malicious script for Internet Explorer. Closer analysis revealed that the attack used\na previously unknown full chain that consisted of two zero-day exploits: a remote code\nexecution exploit for Internet Explorer and an elevation of privilege exploit for\nWindows.\nNov 2021\nNew DarkHotel APT attack chain identified\nDec 2021\nSuspected DarkHotel APT activity update\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=142dc639-1360-4a2d-a839-11e62ca724e4\nPage 3 of 4\n\n2023\nAttack Upgraded: Disclosure of DarkHotel Organization's Latest RPC Attack\nComponents\nInformation\nMITRE ATT\u0026CK\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=142dc639-1360-4a2d-a839-11e62ca724e4\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=142dc639-1360-4a2d-a839-11e62ca724e4\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=142dc639-1360-4a2d-a839-11e62ca724e4" ], "report_names": [ "showcard.cgi?u=142dc639-1360-4a2d-a839-11e62ca724e4" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434552, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97ff0d156700bc1bcf1376cfd8fdd7261bac0e26.pdf", "text": "https://archive.orkl.eu/97ff0d156700bc1bcf1376cfd8fdd7261bac0e26.txt", "img": "https://archive.orkl.eu/97ff0d156700bc1bcf1376cfd8fdd7261bac0e26.jpg" } }