{
	"id": "af0609f7-b7df-4cf0-87c8-1d8288c663cd",
	"created_at": "2026-04-06T00:21:48.342654Z",
	"updated_at": "2026-04-10T13:11:50.154092Z",
	"deleted_at": null,
	"sha1_hash": "a8388978f90453dbcae93223609df70d4430e18a",
	"title": "Dust Storm - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52321,
	"plain_text": "Dust Storm - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:19:19 UTC\r\n APT group: Dust Storm\r\nNames\r\nDust Storm (Cylance)\r\nG0031 (MITRE)\r\nCountry China\r\nSponsor Seems state-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription\r\n(Cylance) Very little public information was available throughout 2010 on this threat,\r\ndespite the group’s primary backdoor gaining some level of prominence in targeted Asian\r\nattacks. This may be explained by the group’s early reliance on Dynamic DNS domains for\r\ntheir command and control (C2) infrastructure, as well as their use of public RATs like\r\nPoison Ivy and Gh0st RAT for second-stage implants.\r\nIt wasn’t until June 2011 that Operation Dust Storm started to garner some notoriety from\r\na series of attacks which leveraged an unpatched Internet Explorer 8 vulnerability, CVE-2011-1255, to gain a foothold into victim networks. In these attacks, a link to the exploit\r\nwas sent via a spear phishing email from a purported Chinese student seeking advice or\r\nasking the target a question following a presentation.\r\nAs to other documented cases, the attacker started interacting with the infected machine\r\nwithin minutes of compromise to begin manual network and host enumeration.\r\nIn October 2011, the group attempted to take advantage of the ongoing Libyan crisis at the\r\ntime and phish the news cycle regarding Muammar Gaddafi’s death on October 20, 2011.\r\nIt appears that in addition to some US defense targets, this campaign was also directed at a\r\nUyghur mailing list. This time, the group used a specially crafted malicious Windows Help\r\n(.hlp) file, which exploited CVE-2010-1885.\r\nObserved\r\nSectors: Energy, Oil and gas and Uyghurs.\r\nCountries: Japan, South Korea, USA and Europe and Southeast Asia.\r\nTools used Gh0st RAT, Misdat, MiS-Type, Poison Ivy, S-Type.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c462561-ef5e-48ac-9138-38dc25d2afc4\r\nPage 1 of 2\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c462561-ef5e-48ac-9138-38dc25d2afc4\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c462561-ef5e-48ac-9138-38dc25d2afc4\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c462561-ef5e-48ac-9138-38dc25d2afc4"
	],
	"report_names": [
		"showcard.cgi?u=3c462561-ef5e-48ac-9138-38dc25d2afc4"
	],
	"threat_actors": [
		{
			"id": "08472d2c-8fbc-4705-ad7a-eb618557cbd2",
			"created_at": "2023-01-06T13:46:38.23674Z",
			"updated_at": "2026-04-10T02:00:02.889753Z",
			"deleted_at": null,
			"main_name": "Dust Storm",
			"aliases": [
				"G0031"
			],
			"source_name": "MISPGALAXY:Dust Storm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a0f6bde9-34cb-46bf-88b7-b4e54c96beaa",
			"created_at": "2022-10-25T15:50:23.646492Z",
			"updated_at": "2026-04-10T02:00:05.37108Z",
			"deleted_at": null,
			"main_name": "Dust Storm",
			"aliases": [
				"Dust Storm"
			],
			"source_name": "MITRE:Dust Storm",
			"tools": [
				"S-Type",
				"Mis-Type",
				"ZLib",
				"Misdat"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "87a842ac-ca8b-41a6-9137-d2cd286e1f51",
			"created_at": "2022-10-25T16:07:23.559995Z",
			"updated_at": "2026-04-10T02:00:04.656872Z",
			"deleted_at": null,
			"main_name": "Dust Storm",
			"aliases": [
				"G0031"
			],
			"source_name": "ETDA:Dust Storm",
			"tools": [
				"AngryRebel",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"MiS-Type",
				"Misdat",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Poison Ivy",
				"S-Type",
				"SPIVY",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8388978f90453dbcae93223609df70d4430e18a.pdf",
		"text": "https://archive.orkl.eu/a8388978f90453dbcae93223609df70d4430e18a.txt",
		"img": "https://archive.orkl.eu/a8388978f90453dbcae93223609df70d4430e18a.jpg"
	}
}