{
	"id": "af33a141-4b3d-430f-b9e4-3d5477651a2b",
	"created_at": "2026-04-06T00:09:33.557796Z",
	"updated_at": "2026-04-10T03:31:51.409966Z",
	"deleted_at": null,
	"sha1_hash": "a414eedbf3ae7e723d660088a09bab6e3e0be78a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47139,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:11:40 UTC\r\n APT group: UNC4191\r\nNames UNC4191 (Mandiant)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2022\r\nDescription\r\n(Mandiant) Mandiant Managed Defense recently identified cyber espionage activity that\r\nheavily leverages USB devices as an initial infection vector and concentrates on the\r\nPhilippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus.\r\nUNC4191 operations have affected a range of public and private sector entities primarily in\r\nSoutheast Asia and extending to the U.S., Europe, and APJ; however, even when targeted\r\norganizations were based in other locations, the specific systems targeted by UNC4191 were\r\nalso found to be physically located in the Philippines.\r\nObserved Countries: Philippines.\r\nTools used BLUEHAZE, DARKDEW, MISTCLOAK, NCAT.\r\nInformation\r\n\u003chttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\u003e\r\n\u003chttps://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia\u003e\r\nLast change to this card: 12 March 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0a03ff4-df62-4860-a418-164c9a01b78e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0a03ff4-df62-4860-a418-164c9a01b78e\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0a03ff4-df62-4860-a418-164c9a01b78e"
	],
	"report_names": [
		"showcard.cgi?u=f0a03ff4-df62-4860-a418-164c9a01b78e"
	],
	"threat_actors": [
		{
			"id": "d61cd7ed-6d16-491f-90a1-6323aae8f67f",
			"created_at": "2022-12-27T17:02:23.610663Z",
			"updated_at": "2026-04-10T02:00:04.9586Z",
			"deleted_at": null,
			"main_name": "UNC4191",
			"aliases": [],
			"source_name": "ETDA:UNC4191",
			"tools": [
				"BLUEHAZE",
				"DARKDEW",
				"HIUPAN",
				"MISTCLOAK",
				"NCAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b0f6e3c5-5424-463a-ada3-532ca52e5940",
			"created_at": "2023-11-17T02:00:07.60381Z",
			"updated_at": "2026-04-10T02:00:03.45747Z",
			"deleted_at": null,
			"main_name": "UNC4191",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC4191",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434173,
	"ts_updated_at": 1775791911,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a414eedbf3ae7e723d660088a09bab6e3e0be78a.pdf",
		"text": "https://archive.orkl.eu/a414eedbf3ae7e723d660088a09bab6e3e0be78a.txt",
		"img": "https://archive.orkl.eu/a414eedbf3ae7e723d660088a09bab6e3e0be78a.jpg"
	}
}