{ "id": "77f72bd6-2dce-4d9f-b45a-db1082fc054d", "created_at": "2026-04-06T00:21:46.213708Z", "updated_at": "2026-04-10T03:29:29.287136Z", "deleted_at": null, "sha1_hash": "9d09ff4a3f8e86578f523ce642e060742dd24440", "title": "Shadow Network - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59981, "plain_text": "Shadow Network - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 13:43:05 UTC\r\nHome \u003e List all groups \u003e Shadow Network\r\n APT group: Shadow Network\r\nNames Shadow Network (Information Warfare Monitor)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription\r\n(Information Warfare Monitor) Shadows in the Cloud documents a complex ecosystem\r\nof cyber espionage that systematically compromised government, business, academic,\r\nand other computer network systems in India, the Offices of the Dalai Lama, the United\r\nNations, and several other countries. The report also contains an analysis of data which\r\nwere stolen from politically sensitive targets and recovered during the course of the\r\ninvestigation. These include documents from the Offices of the Dalai Lama and\r\nagencies of the Indian national security establishment. Data containing sensitive\r\ninformation on citizens of numerous third-party countries, as well as personal,\r\nfinancial, and business information, were also exfiltrated and recovered during the\r\ncourse of the investigation. The report analyzes the malware ecosystem employed by\r\nthe Shadows’ attackers, which leveraged multiple redundant cloud computing systems,\r\nsocial networking platforms, and free web hosting services in order to maintain\r\npersistent control while operating core servers located in the People’s Republic of\r\nChina (PRC). Although the identity and motivation of the attackers remain unknown,\r\nthe report is able to determine the location (Chengdu, PRC) as well as some of the\r\nassociations of the attackers through circumstantial evidence. The investigation is the\r\nproduct of an eight month, collaborative activity between the Information Warfare\r\nMonitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The\r\ninvestigation employed a fusion methodology, combining technical interrogation\r\ntechniques, data analysis, and field research, to track and uncover the Shadow cyber\r\nespionage network.\r\nAlso see GhostNet, Snooping Dragon.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2e57bbb2-c3f8-426e-9abd-2d806d972a29\r\nPage 1 of 2\n\nObserved\r\nSectors: Education, Government and others.\r\nCountries: Afghanistan, Australia, Azerbaijan, Canada, China, France, Germany,\r\nGreece, Hong Kong, India, Israel, Italy, Japan, Lithuania, Malaysia, Mexico, Nepal,\r\nNetherlands, New Zealand, Pakistan, Papua New Guinea, Philippines, Qatar, Romania,\r\nRussia, South Korea, Sweden, Taiwan, Thailand, Tibet, UAE, UK, USA, Vietnam.\r\nTools used ShadowNet.\r\nCounter operations 2010 Taken down by the Shadowserver Foundation.\r\nInformation \u003chttps://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf\u003e\r\nLast change to this card: 15 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2e57bbb2-c3f8-426e-9abd-2d806d972a29\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2e57bbb2-c3f8-426e-9abd-2d806d972a29\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2e57bbb2-c3f8-426e-9abd-2d806d972a29" ], "report_names": [ "showcard.cgi?u=2e57bbb2-c3f8-426e-9abd-2d806d972a29" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "c398d083-1e86-4cee-8937-eb057f0e6fdc", "created_at": "2022-10-25T16:07:24.172423Z", "updated_at": "2026-04-10T02:00:04.888972Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "ETDA:Shadow Network", "tools": [ "ShadowNet" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "172e5e21-e954-4322-9317-41f2cbaed7f1", "created_at": "2023-01-06T13:46:38.992713Z", "updated_at": "2026-04-10T02:00:03.174179Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "MISPGALAXY:Shadow Network", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434906, "ts_updated_at": 1775791769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d09ff4a3f8e86578f523ce642e060742dd24440.pdf", "text": "https://archive.orkl.eu/9d09ff4a3f8e86578f523ce642e060742dd24440.txt", "img": "https://archive.orkl.eu/9d09ff4a3f8e86578f523ce642e060742dd24440.jpg" } }