{
	"id": "6fdba497-2a0b-44e1-8b6f-ba4fcd097232",
	"created_at": "2026-04-06T00:22:24.037812Z",
	"updated_at": "2026-04-10T03:25:35.331146Z",
	"deleted_at": null,
	"sha1_hash": "9ccf6337845b3ed8bca91a687f3ee7a861b733ed",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56727,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:56:06 UTC\n APT group: ChamelGang\nNames\nChamelGang (Positive Technlogies)\nCamoFei (TeamT5)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2021\nDescription\n(Positive Technologies) In Q2 2021, the PT Expert Security Center incident response\nteam conducted an investigation in an energy company. The investigation revealed\nthat the company's network had been compromised by an unknown group for the\npurpose of data theft. We gave the group the name ChamelGang (from the word\n'chameleon'), because the group disguised its malware and network infrastructure\nunder legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The\nattackers employed two methods. They acquired domains that imitate legitimate\nones. In addition, the APT group placed SSL certificates that also imitated legitimate\nones on its servers. To achieve their goal, the attackers used a trending penetration\nmethod—supply chain. The group compromised a subsidiary and penetrated the\ntarget company's network through it.\nObserved\nSectors: Aviation, Energy, Government.\nCountries: Afghanistan, Brazil, India, Japan, Lithuania, Nepal, Russia, Taiwan,\nTurkey, USA, Vietnam.\nTools used 7-Zip, BeaconLoader, Cobalt Strike, DoorMe, FRP, ProxyT, Tiny SHell.\nOperations performed\n2022\nChamelGang \u0026 Friends | Cyberespionage Groups Attacking Critical\nInfrastructure with Ransomware\nJun 2023\nChamelGang and ChamelDoH: A DNS-over-HTTPS implant\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=832c145a-c7d3-43b4-9f9e-6998371616d7\nPage 1 of 2\n\nLast change to this card: 26 August 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=832c145a-c7d3-43b4-9f9e-6998371616d7\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=832c145a-c7d3-43b4-9f9e-6998371616d7\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=832c145a-c7d3-43b4-9f9e-6998371616d7"
	],
	"report_names": [
		"showcard.cgi?u=832c145a-c7d3-43b4-9f9e-6998371616d7"
	],
	"threat_actors": [
		{
			"id": "4434c71b-c424-4c06-b923-4f3f54f24f40",
			"created_at": "2022-10-25T16:07:23.453526Z",
			"updated_at": "2026-04-10T02:00:04.611408Z",
			"deleted_at": null,
			"main_name": "ChamelGang",
			"aliases": [
				"CamoFei"
			],
			"source_name": "ETDA:ChamelGang",
			"tools": [
				"7-Zip",
				"Agentemis",
				"BeaconLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DoorMe",
				"FRP",
				"Fast Reverse Proxy",
				"ProxyT",
				"Tiny SHell",
				"cobeacon",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a0673493-5872-49a0-8d0d-4391302cff01",
			"created_at": "2023-03-04T02:01:54.10107Z",
			"updated_at": "2026-04-10T02:00:03.358084Z",
			"deleted_at": null,
			"main_name": "Chamelgang",
			"aliases": [
				"CamoFei"
			],
			"source_name": "MISPGALAXY:Chamelgang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434944,
	"ts_updated_at": 1775791535,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ccf6337845b3ed8bca91a687f3ee7a861b733ed.pdf",
		"text": "https://archive.orkl.eu/9ccf6337845b3ed8bca91a687f3ee7a861b733ed.txt",
		"img": "https://archive.orkl.eu/9ccf6337845b3ed8bca91a687f3ee7a861b733ed.jpg"
	}
}