{ "id": "4429e529-39cb-4cab-9677-fc739c9e32ef", "created_at": "2026-04-06T00:07:25.683011Z", "updated_at": "2026-04-10T03:26:37.559146Z", "deleted_at": null, "sha1_hash": "9ab33bb9a7c65fdbc22e94a4934efe1ae8a0ad11", "title": "Nitro, Covert Grove - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56866, "plain_text": "Nitro, Covert Grove - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:32:32 UTC\nHome \u003e List all groups \u003e Nitro, Covert Grove\n APT group: Nitro, Covert Grove\nNames\nNitro (Symantec)\nCovert Grove (Symantec)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2011\nDescription\n(Symantec) The Nitro Attacks: Stealing Secrets from the Chemical Industry\nThe attackers have changed their targets over time. From late April to early May, the attackers focused on hu\nrights related NGOs. They then moved on to the motor industry in late May. From June until mid-July no act\nwas detected. At this point, the current attack campaign against the chemical industry began. This particular a\nhas lasted much longer than previous attacks, spanning two and a half months.\nA total of 29 companies in the chemical sector were confirmed to be targeted in this attack wave and another\nvarious other sectors, primarily the defense sector, were seen to be affected as well. These 48 companies are t\nminimum number of companies targeted and likely other companies were also targeted. In a recent two week\nperiod, 101 unique IP addresses contacted a command and control server with traffic consistent with an infec\nmachine. These Ips represented 52 different unique Internet Service Providers or organizations in 20 countrie\nNitro may be related to APT 18, Dynamite Panda, Wekby.\nObserved\nSectors: Automotive, Chemical, NGOs, Technology.\nCountries: Argentina, Bangladesh, Canada, China, Czech, Finland, France, Germany, Hong Kong, India, Japa\nNetherlands, Norway, Russia, Singapore, South Korea, Sweden, Taiwan, UK, USA.\nTools used Gh0st RAT, PCClient, Poison Ivy, Spindest.\nOperations performed Jul 2014\nNew Indicators of Compromise found\nHistorically, Nitro is known for targeted spear phishing campaigns and using Poison Ivy malwa\nwhich was not seen in these attacks. Since at least 2013, Nitro appears to have somewhat modif\ntheir malware and delivery methods to include Spindest and legitimate compromised websites, a\nreported by Cyber Squared’s TCIRT.\nInformation\nLast change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=86c30d93-a2e8-4d04-9881-884cc59d7e19\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=86c30d93-a2e8-4d04-9881-884cc59d7e19\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=86c30d93-a2e8-4d04-9881-884cc59d7e19" ], "report_names": [ "showcard.cgi?u=86c30d93-a2e8-4d04-9881-884cc59d7e19" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434045, "ts_updated_at": 1775791597, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ab33bb9a7c65fdbc22e94a4934efe1ae8a0ad11.pdf", "text": "https://archive.orkl.eu/9ab33bb9a7c65fdbc22e94a4934efe1ae8a0ad11.txt", "img": "https://archive.orkl.eu/9ab33bb9a7c65fdbc22e94a4934efe1ae8a0ad11.jpg" } }