{
	"id": "035ab551-3ceb-4c6f-9de0-5c238b4bc7ff",
	"created_at": "2026-04-06T00:10:47.917396Z",
	"updated_at": "2026-04-10T13:11:50.181679Z",
	"deleted_at": null,
	"sha1_hash": "a32121356990a1715988d0f93616d80d66af4e96",
	"title": "Velvet Ant - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50318,
	"plain_text": "Velvet Ant - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:51:52 UTC\n APT group: Velvet Ant\nNames Velvet Ant (Sygnia)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2023\nDescription\n(Sygnia) Velvet Ant is a sophisticated and innovative threat actor. The investigation\nconfirmed the threat actor maintained a prolonged presence in the organization’s on–\npremises network for about three years. The overall goal behind this campaign was\nto maintain access to the target network for espionage.\nThe threat actor achieved remarkable persistence by establishing and maintaining\nmultiple footholds within the victim company’s environment. One of the\nmechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was\nexposed to the internet and which the threat actor leveraged as an internal Command\nand Control (C\u0026C).\nAfter one foothold was discovered and remediated, the threat actor swiftly pivoted to\nanother, demonstrating agility and adaptability in evading detection.\nThe threat actor exploited various entry points across the victim’s network\ninfrastructure, indicating a comprehensive understanding of the target’s\nenvironment.\nObserved Countries: East Asia.\nTools used EarthWorm, ESRDE, PlugX, ShadowPad Winnti, VELVETSTING, VELVETTAP.\nOperations performed Jul 2024\nChina-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day\n(CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory\nfor Mitigation and Response\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cf72da5-8428-4878-bf14-2f4e4e1ba7dc\nPage 1 of 2\n\nLast change to this card: 27 August 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cf72da5-8428-4878-bf14-2f4e4e1ba7dc\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cf72da5-8428-4878-bf14-2f4e4e1ba7dc\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7cf72da5-8428-4878-bf14-2f4e4e1ba7dc"
	],
	"report_names": [
		"showcard.cgi?u=7cf72da5-8428-4878-bf14-2f4e4e1ba7dc"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "822063cf-d9bd-499a-9715-70d95881378f",
			"created_at": "2025-04-23T02:00:55.295207Z",
			"updated_at": "2026-04-10T02:00:05.254566Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [
				"Velvet Ant"
			],
			"source_name": "MITRE:Velvet Ant",
			"tools": [
				"PlugX",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0c0d8f44-d131-41c8-a693-efb687e777f1",
			"created_at": "2024-06-20T02:02:10.211899Z",
			"updated_at": "2026-04-10T02:00:04.962606Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [],
			"source_name": "ETDA:Velvet Ant",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"ESRDE",
				"Kaba",
				"Korplug",
				"POISONPLUG.SHADOW",
				"PlugX",
				"RedDelta",
				"SAMRID",
				"ShadowPad Winnti",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"VELVETSTING",
				"VELVETTAP",
				"XShellGhost",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a32121356990a1715988d0f93616d80d66af4e96.pdf",
		"text": "https://archive.orkl.eu/a32121356990a1715988d0f93616d80d66af4e96.txt",
		"img": "https://archive.orkl.eu/a32121356990a1715988d0f93616d80d66af4e96.jpg"
	}
}