{ "id": "b33c5d2f-7d82-43d2-87d6-1fb590e8876a", "created_at": "2026-04-06T00:12:34.644655Z", "updated_at": "2026-04-10T03:26:36.771337Z", "deleted_at": null, "sha1_hash": "a17573f6fa7d9d6f3fc1ff36e56c020209b4dea7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54316, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:34:12 UTC\r\n APT group: Sweed\r\nNames Sweed (Talos)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2017\r\nDescription\r\n(Talos) Cisco Talos recently identified a large number of ongoing malware\r\ndistribution campaigns linked to a threat actor we’re calling “SWEED,” including\r\nsuch notable malware as Formbook, Lokibot and Agent Tesla. Based on our\r\nresearch, SWEED — which has been operating since at least 2017 — primarily\r\ntargets their victims with stealers and remote access trojans.\r\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a\r\nmyriad of different types of malicious documents, the actor primarily tries to infect\r\nits victims with a packed version of Agent Tesla — an information stealer that’s been\r\naround since at least 2014. The version of Agent Tesla that SWEED is using differs\r\nslightly from what we’ve seen in the past in the way that it is packed, as well as how\r\nit infects the system. In this post, we’ll run down each campaign we’re able to\r\nconnect to SWEED, and talk about some of the actor’s tactics, techniques and\r\nprocedures (TTPs).\r\nObserved\r\nSectors: Defense, Energy, Financial, Shipping and Logistics, Manufacturing and\r\nHuman Resources.\r\nCountries: Bosnia and Herzegovina, Canada, China, Djibouti, France, Germany,\r\nHong Kong, India, Italy, Monaco, Russia, Qatar, Singapore, South Africa, South\r\nKorea, Switzerland, Taiwan, Turkey, UAE, UK, USA.\r\nTools used Agent Tesla, Formbook, LokiBot, RDP.\r\nOperations performed\r\n2017\r\nSteganography\r\nOne of the earliest SWEED campaigns Talos identified dates back to\r\n2017. In this attack, the actors placed droppers inside of ZIP archives,\r\nand then attached those ZIPs to emails. The attachments usually had\r\nfile names similar to “Java_Updater.zip” or “P-O of Jun2017.zip”.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ad9624e1-ffa9-42ca-abba-59c371e1ed53\r\nPage 1 of 2\n\nJan 2018\r\nIn early 2018, we observed that SWEED began leveraging Java-based\r\ndroppers. Similar to previous campaigns, the JAR was directly\r\nattached to emails and used file names such as “Order_2018.jar”. The\r\npurpose of the JAR was to obtain information about the infected\r\nsystem and facilitate the download of a packed version of Agent Tesla.\r\nApr 2018\r\nIn April 2018, SWEED began making use of a previously disclosed\r\nOffice exploit. One of the documents featured in these email\r\ncampaigns was notable because it was a PowerPoint document\r\n(PPXS). Code contained inside one of the slides triggers an exploit for\r\nCVE-2017-8759, a remote code execution vulnerability in Microsoft\r\n.NET framework.\r\nMay 2018\r\nIn May 2018, campaigns being conducted by SWEED began\r\nleveraging another vulnerability in Microsoft Office: CVE-2017-\r\n11882, a remote code execution bug in Microsoft Office that is\r\ncommonly observed being leveraged in malicious documents used in\r\ncommodity malware distribution.\r\n2019\r\nBeginning in 2019, the campaigns associated with SWEED began\r\nleveraging malicious Office macros. As with previous attacks, they are\r\nleveraging spear-phishing emails and malicious attachments to initiate\r\nthe infection process.\r\n\u003chttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\u003e\r\nInformation \u003chttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ad9624e1-ffa9-42ca-abba-59c371e1ed53\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ad9624e1-ffa9-42ca-abba-59c371e1ed53\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ad9624e1-ffa9-42ca-abba-59c371e1ed53" ], "report_names": [ "showcard.cgi?u=ad9624e1-ffa9-42ca-abba-59c371e1ed53" ], "threat_actors": [ { "id": "fe3d8dee-3bee-42e6-8f16-b6628b6189ae", "created_at": "2023-01-06T13:46:39.039285Z", "updated_at": "2026-04-10T02:00:03.193589Z", "deleted_at": null, "main_name": "SWEED", "aliases": [], "source_name": "MISPGALAXY:SWEED", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2c53785-fb8b-460d-ba73-7fbfba36f0f5", "created_at": "2022-10-25T16:07:24.247949Z", "updated_at": "2026-04-10T02:00:04.911034Z", "deleted_at": null, "main_name": "Sweed", "aliases": [], "source_name": "ETDA:Sweed", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "ForeIT", "Formbook", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Negasteal", "Origin Logger", "RDP", "Remote Desktop Protocol", "ZPAQ", "win.xloader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434354, "ts_updated_at": 1775791596, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a17573f6fa7d9d6f3fc1ff36e56c020209b4dea7.pdf", "text": "https://archive.orkl.eu/a17573f6fa7d9d6f3fc1ff36e56c020209b4dea7.txt", "img": "https://archive.orkl.eu/a17573f6fa7d9d6f3fc1ff36e56c020209b4dea7.jpg" } }