{
	"id": "5b9ae553-c205-4c1f-9b98-47e63382a6c5",
	"created_at": "2026-04-06T00:21:29.191228Z",
	"updated_at": "2026-04-10T03:28:28.130375Z",
	"deleted_at": null,
	"sha1_hash": "9df59e76b67adf52c5f1977182597642ce4cedde",
	"title": "Operation Rusty Flag - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43025,
	"plain_text": "Operation Rusty Flag - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 13:18:13 UTC\r\nHome \u003e List all groups \u003e Operation Rusty Flag\r\n APT group: Operation Rusty Flag\r\nNames Operation Rusty Flag (Deep Instinct)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2023\r\nDescription\r\n(Deep Instinct) The operation has at least two different initial access vectors.\r\nThe operation is not associated with a known threat actor; the operation was instead named\r\nbecause of their novel malware written in the Rust programming language.\r\nOne of the lures used in the operation is a modified document that was used by the Tropical\r\nScorpius, RomCom group. This could be a deliberate “false flag”.\r\nObserved Countries: Azerbaijan.\r\nTools used\r\nInformation\r\n\u003chttps://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets\u003e\r\nLast change to this card: 12 October 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ae038cc4-4e81-4107-bfef-32646c33fb5d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ae038cc4-4e81-4107-bfef-32646c33fb5d\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ae038cc4-4e81-4107-bfef-32646c33fb5d"
	],
	"report_names": [
		"showcard.cgi?u=ae038cc4-4e81-4107-bfef-32646c33fb5d"
	],
	"threat_actors": [
		{
			"id": "fecc0d5a-3654-425d-9290-b6d0b4105463",
			"created_at": "2023-10-17T02:00:08.330061Z",
			"updated_at": "2026-04-10T02:00:03.37711Z",
			"deleted_at": null,
			"main_name": "Void Rabisu",
			"aliases": [
				"Tropical Scorpius"
			],
			"source_name": "MISPGALAXY:Void Rabisu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "555e2cac-931d-4ad4-8eaa-64df6451059d",
			"created_at": "2023-01-06T13:46:39.48103Z",
			"updated_at": "2026-04-10T02:00:03.342729Z",
			"deleted_at": null,
			"main_name": "RomCom",
			"aliases": [
				"UAT-5647",
				"Storm-0978"
			],
			"source_name": "MISPGALAXY:RomCom",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d7bf9558-5d45-49d0-8e8b-a263701e32ad",
			"created_at": "2023-10-14T02:03:14.3762Z",
			"updated_at": "2026-04-10T02:00:04.830277Z",
			"deleted_at": null,
			"main_name": "Operation Rusty Flag",
			"aliases": [],
			"source_name": "ETDA:Operation Rusty Flag",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9df59e76b67adf52c5f1977182597642ce4cedde.pdf",
		"text": "https://archive.orkl.eu/9df59e76b67adf52c5f1977182597642ce4cedde.txt",
		"img": "https://archive.orkl.eu/9df59e76b67adf52c5f1977182597642ce4cedde.jpg"
	}
}