{ "id": "9c3c26e8-e75d-47e1-b780-794f12d3a6a5", "created_at": "2026-04-06T00:07:05.389504Z", "updated_at": "2026-04-10T13:12:43.689758Z", "deleted_at": null, "sha1_hash": "9d3ae59b6e9fec839c4b5435a0837dbab29f0ed9", "title": "Operation Comando - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46336, "plain_text": "Operation Comando - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 15:57:11 UTC\nHome \u003e List all groups \u003e Operation Comando\n APT group: Operation Comando\nNames Operation Comando (Palo Alto)\nCountry [Unknown]\nMotivation Financial crime\nFirst seen 2018\nDescription\n(Palo Alto) In December 2018, Palo Alto Networks Unit 42 researchers identified an ongoing\ncampaign with a strong focus on the hospitality sector, specifically on hotel reservations.\nAlthough our initial analysis didn’t show any novel or advanced techniques, we did observe\nstrong persistence during the campaign that triggered our curiosity.\nWe followed network traces and pivoted on the information left behind by this actor, such as\nopen directories, document metadata, and binary peculiarities, which enabled us to find a\ncustom-made piece of malware, that we named “CapturaTela”. Our discovery of this malware\nfamily shows the reason for the persistent focus on hotel reservations as a primary vector:\nstealing credit card information from customers.\nWe profiled this threat actor and that has resulted in uncovering not only their delivery\nmechanisms, but also their arsenal of remote access tools and info-stealing trojans, both\nacquired from underground forums as well as open source tools found in GitHub repositories.\nObserved\nSectors: Hospitality and specifically on hotel reservations.\nCountries: Brazil.\nTools used AsyncRAT, CapturaTela, LimeRAT, NanoCore RAT, njRAT, RemcosRAT, RevengeRAT.\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=06343cf4-1911-4cc4-8e5d-501194314650\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=06343cf4-1911-4cc4-8e5d-501194314650\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=06343cf4-1911-4cc4-8e5d-501194314650\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=06343cf4-1911-4cc4-8e5d-501194314650" ], "report_names": [ "showcard.cgi?u=06343cf4-1911-4cc4-8e5d-501194314650" ], "threat_actors": [ { "id": "e819f7c1-855b-4834-b30c-493832336ddb", "created_at": "2022-10-25T16:07:23.939418Z", "updated_at": "2026-04-10T02:00:04.796807Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "ETDA:Operation Comando", "tools": [ "AsyncRAT", "Atros2.CKPN", "Bladabindi", "CapturaTela", "Jorik", "LimeRAT", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Socmer", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e1e83b71-854a-4ddf-82ed-141c1d151c3c", "created_at": "2023-01-06T13:46:38.934536Z", "updated_at": "2026-04-10T02:00:03.150803Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "MISPGALAXY:Operation Comando", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434025, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d3ae59b6e9fec839c4b5435a0837dbab29f0ed9.pdf", "text": "https://archive.orkl.eu/9d3ae59b6e9fec839c4b5435a0837dbab29f0ed9.txt", "img": "https://archive.orkl.eu/9d3ae59b6e9fec839c4b5435a0837dbab29f0ed9.jpg" } }