{
	"id": "cfba35f0-dd8b-4f51-a0f5-8ba668c281b9",
	"created_at": "2026-04-06T00:16:09.46566Z",
	"updated_at": "2026-04-10T13:11:19.122695Z",
	"deleted_at": null,
	"sha1_hash": "a82a960a84d65735201034e3841c52a3c09aee00",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55758,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:26:33 UTC\n APT group: RedFoxtrot\nNames\nRedFoxtrot (Recorded Future)\nNomad Panda (CrowdStrike)\nTEMP.Trident (FireEye)\nMoshen Dragon (SentinelLabs)\nCountry China\nSponsor State-sponsored, PLA Unit 69010\nMotivation Information theft and espionage\nFirst seen 2014\nDescription\n(Recorded Future) RedFoxtrot has been active since at least 2014 and predominantly\ntargets government, defense, and telecommunications sectors across Central Asia,\nIndia, and Pakistan, aligning with the likely operational remit of Unit 69010. Of\nparticular note, within the past 6 months, Insikt Group detected RedFoxtrot network\nintrusions targeting 3 Indian aerospace and defense contractors; major\ntelecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and\nmultiple government agencies across the region. RedFoxtrot maintains large\namounts of operational infrastructure and has likely employed both bespoke and\npublicly available malware families commonly used by Chinese cyber espionage\ngroups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare.\nRedFoxtrot activity overlaps with threat groups tracked by other security vendors as\nTemp.Trident and Nomad Panda.\nObserved\nSectors: Defense, Government, Telecommunications.\nCountries: Afghanistan, India, Kazakhstan, Pakistan.\nTools used\n8.t Dropper, GUNTERS, Icefog, Impacket, PCShare, PlugX, Poison Ivy, ShadowPad\nWinnti.\nOperations performed Aug 2021\n4 Chinese APT Groups Identified Targeting Mail Server of Afghan\nTelecommunications Firm Roshan\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9f36b109-05bd-4a55-b3fb-dae2dbcc2b6b\nPage 1 of 2\n\nInformation\nLast change to this card: 04 May 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9f36b109-05bd-4a55-b3fb-dae2dbcc2b6b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9f36b109-05bd-4a55-b3fb-dae2dbcc2b6b\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9f36b109-05bd-4a55-b3fb-dae2dbcc2b6b"
	],
	"report_names": [
		"showcard.cgi?u=9f36b109-05bd-4a55-b3fb-dae2dbcc2b6b"
	],
	"threat_actors": [
		{
			"id": "1aead86d-0c57-4e3b-b464-a69f6de20cde",
			"created_at": "2023-01-06T13:46:38.318176Z",
			"updated_at": "2026-04-10T02:00:02.925424Z",
			"deleted_at": null,
			"main_name": "DAGGER PANDA",
			"aliases": [
				"UAT-7290",
				"Red Foxtrot",
				"IceFog",
				"RedFoxtrot",
				"Red Wendigo",
				"PLA Unit 69010"
			],
			"source_name": "MISPGALAXY:DAGGER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c09dd7ba-3b6c-4a02-9ae6-949b0afc0b16",
			"created_at": "2023-01-06T13:46:38.907191Z",
			"updated_at": "2026-04-10T02:00:03.141637Z",
			"deleted_at": null,
			"main_name": "NOMAD PANDA",
			"aliases": [],
			"source_name": "MISPGALAXY:NOMAD PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "df299f24-89cb-47e3-9515-c018bb501443",
			"created_at": "2023-11-21T02:00:07.383392Z",
			"updated_at": "2026-04-10T02:00:03.473887Z",
			"deleted_at": null,
			"main_name": "Moshen Dragon",
			"aliases": [],
			"source_name": "MISPGALAXY:Moshen Dragon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5d9dfc61-6138-497a-b9da-33885539f19c",
			"created_at": "2022-10-25T16:07:23.720008Z",
			"updated_at": "2026-04-10T02:00:04.726002Z",
			"deleted_at": null,
			"main_name": "Icefog",
			"aliases": [
				"ATK 23",
				"Dagger Panda",
				"Icefog",
				"Red Wendigo"
			],
			"source_name": "ETDA:Icefog",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Dagger Three",
				"Fucobha",
				"Icefog",
				"Javafog",
				"POISONPLUG.SHADOW",
				"RoyalRoad",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695",
			"created_at": "2022-10-25T16:07:24.120424Z",
			"updated_at": "2026-04-10T02:00:04.871598Z",
			"deleted_at": null,
			"main_name": "RedFoxtrot",
			"aliases": [
				"Moshen Dragon",
				"Nomad Panda",
				"TEMP.Trident"
			],
			"source_name": "ETDA:RedFoxtrot",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Fucobha",
				"GUNTERS",
				"Gen:Trojan.Heur.PT",
				"Icefog",
				"Impacket",
				"Kaba",
				"Korplug",
				"PCShare",
				"POISONPLUG.SHADOW",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"RoyalRoad",
				"SPIVY",
				"ShadowPad Winnti",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"XShellGhost",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434569,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a82a960a84d65735201034e3841c52a3c09aee00.pdf",
		"text": "https://archive.orkl.eu/a82a960a84d65735201034e3841c52a3c09aee00.txt",
		"img": "https://archive.orkl.eu/a82a960a84d65735201034e3841c52a3c09aee00.jpg"
	}
}