{
	"id": "89dc22c4-a8d6-4899-b00b-3f55a4580485",
	"created_at": "2026-04-06T00:09:20.306863Z",
	"updated_at": "2026-04-10T03:36:33.606165Z",
	"deleted_at": null,
	"sha1_hash": "9bbb70f4df498f54d0f8732fa52030483aeb901a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50619,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:11:47 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Farseer\n Tool: Farseer\nNames Farseer\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) The threat actors behind Farseer, and related malware including HenBox,\ncontinue to grow their armoury with the addition of this previously-unknown malware\nfamily. The overlapping infrastructure, shared TTPs and similarities in malicious code and\nconfigurations highlights the web of threats used to target victims in and around the South\nEast Asia region and perhaps beyond.\nFarseer payloads are backdoors that beacon to pre-configured C2 servers for instructions.\nThe malware uses various techniques to evade detection and inhibit analysis. For\nexample, DLL sideloading using trusted, signed executables allows the malware to\nexecute rather seamlessly; some payloads are encrypted on disk preventing analysis,\nespecially as decompression and decryption occurs at runtime, in-memory, where code is\nfurther altered to thwart forensic analysis.\nWhereas HenBox posed a threat for devices running Android, Farseer is built to target\nWindows, which appears to be more typical given previous threats seen from the group or\ngroups behind this, and related malware.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool Farseer\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3de28b40-0bda-4ae0-a87d-8e67085b5c7a\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Mustang Panda, Bronze President 2012-Jun 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3de28b40-0bda-4ae0-a87d-8e67085b5c7a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3de28b40-0bda-4ae0-a87d-8e67085b5c7a\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3de28b40-0bda-4ae0-a87d-8e67085b5c7a"
	],
	"report_names": [
		"listgroups.cgi?u=3de28b40-0bda-4ae0-a87d-8e67085b5c7a"
	],
	"threat_actors": [
		{
			"id": "926dcfeb-19dd-4786-b601-3c0c4c477b43",
			"created_at": "2023-01-06T13:46:38.787762Z",
			"updated_at": "2026-04-10T02:00:03.10053Z",
			"deleted_at": null,
			"main_name": "HenBox",
			"aliases": [],
			"source_name": "MISPGALAXY:HenBox",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434160,
	"ts_updated_at": 1775792193,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9bbb70f4df498f54d0f8732fa52030483aeb901a.pdf",
		"text": "https://archive.orkl.eu/9bbb70f4df498f54d0f8732fa52030483aeb901a.txt",
		"img": "https://archive.orkl.eu/9bbb70f4df498f54d0f8732fa52030483aeb901a.jpg"
	}
}