{ "id": "b8d34ef8-5a32-424b-a269-ec40e42c62e8", "created_at": "2026-04-06T00:17:17.088577Z", "updated_at": "2026-04-10T03:29:45.566691Z", "deleted_at": null, "sha1_hash": "a8ebc6910abfd54375104be392a64fc5d53e692d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51564, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:21:23 UTC\n APT group: IronHusky\nNames\nIronHusky (Kaspersky)\nBBCY-TA1 (BlackBerry)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2017\nDescription\n(Kaspersky) IronHusky is a Chinese-speaking actor that we first detected in summer\n2017. It is very focused on tracking the geopolitical agenda of targets in central Asia\nwith a special focus in Mongolia, which seems to be an unusual target. This actor\ncrafts campaigns for upcoming events of interest. In this case, they prepared and\nlaunched one right before a meeting with the International Monetary Fund and the\nMongolian government at the end of January 2018. At the same time, they stopped\ntheir previous operations targeting Russian military contractors, which speaks\nvolumes about the group’s limitations. In this new campaign, they exploited CVE-2017-11882 to spread common RATs typically used by Chinese-speaking groups,\nsuch as PlugX and PoisonIvy.\nObserved\nSectors: Defense, Financial, Government.\nCountries: Mongolia, Russia.\nTools used MysterySnail RAT, Poison Ivy, PlugX.\nOperations performed Aug 2021\nOperation “MysterySnail”\nIn late August and early September 2021, Kaspersky technologies\ndetected attacks with the use of an elevation of privilege exploit on\nmultiple Microsoft Windows servers.\nInformation\nLast change to this card: 21 April 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3f1b347c-02ab-4ea5-ab79-6195bb15daf4\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3f1b347c-02ab-4ea5-ab79-6195bb15daf4\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3f1b347c-02ab-4ea5-ab79-6195bb15daf4\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3f1b347c-02ab-4ea5-ab79-6195bb15daf4" ], "report_names": [ "showcard.cgi?u=3f1b347c-02ab-4ea5-ab79-6195bb15daf4" ], "threat_actors": [ { "id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938", "created_at": "2023-11-08T02:00:07.135638Z", "updated_at": "2026-04-10T02:00:03.42332Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [], "source_name": "MISPGALAXY:IronHusky", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2caf4672-1812-4bb9-9576-6011e56102d2", "created_at": "2022-10-25T16:07:23.742765Z", "updated_at": "2026-04-10T02:00:04.733853Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [ "BBCY-TA1", "Operation MysterySnail" ], "source_name": "ETDA:IronHusky", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "MysterySnail", "MysterySnail RAT", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434637, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8ebc6910abfd54375104be392a64fc5d53e692d.pdf", "text": "https://archive.orkl.eu/a8ebc6910abfd54375104be392a64fc5d53e692d.txt", "img": "https://archive.orkl.eu/a8ebc6910abfd54375104be392a64fc5d53e692d.jpg" } }