{ "id": "e8b20ce5-3e71-4a27-80d7-6f8efa29202a", "created_at": "2026-04-06T00:10:44.264763Z", "updated_at": "2026-04-10T03:33:57.369852Z", "deleted_at": null, "sha1_hash": "ac3abd084f02d1abeb490a7437bfc4644f9a54ba", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50162, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:54:54 UTC\n APT group: Blackgear\nNames\nBlackgear (Trend Micro)\nTopgear (?)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Trend Micro) Blackgear is an espionage campaign which has targeted users in\nTaiwan for many years. Multiple papers and talks have been released covering this\ncampaign, which used the ELIRKS backdoor when it was first discovered in 2012. It\nis known for using blogs and microblogging services to hide the location of its actual\ncommand-and-control (C\u0026C) servers. This allows an attacker to change the C\u0026C\nserver used quickly by changing the information in these posts.\nLike most campaigns, Blackgear has evolved over time. Our research indicates that\nit has started targeting Japanese users. Two things led us to this conclusion: first, the\nfake documents that are used as part of its infection routines are now in Japanese.\nSecondly, it is now using blogging sites and microblogging services based in Japan\nfor its C\u0026C activity.\nObserved Countries: Japan, South Korea, Taiwan.\nTools used Comnie, Elirks, Protux.\nOperations performed Jul 2018\nResurfaces, Abuses Social Media for C\u0026C Communication\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6a918f-c75c-41c4-842d-3ad79c5a6642\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6a918f-c75c-41c4-842d-3ad79c5a6642\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6a918f-c75c-41c4-842d-3ad79c5a6642\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d6a918f-c75c-41c4-842d-3ad79c5a6642" ], "report_names": [ "showcard.cgi?u=9d6a918f-c75c-41c4-842d-3ad79c5a6642" ], "threat_actors": [ { "id": "ad59becc-29c2-4b7a-a958-d7f242d222ea", "created_at": "2023-01-06T13:46:38.956494Z", "updated_at": "2026-04-10T02:00:03.161471Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "BLACKGEAR", "Topgear", "Comnie" ], "source_name": "MISPGALAXY:Blackgear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6750d709-9153-4e90-baa3-04883a9b762b", "created_at": "2022-10-25T16:07:23.397596Z", "updated_at": "2026-04-10T02:00:04.580074Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "Topgear" ], "source_name": "ETDA:Blackgear", "tools": [ "Comnie", "Elirks", "Protux" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434244, "ts_updated_at": 1775792037, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac3abd084f02d1abeb490a7437bfc4644f9a54ba.pdf", "text": "https://archive.orkl.eu/ac3abd084f02d1abeb490a7437bfc4644f9a54ba.txt", "img": "https://archive.orkl.eu/ac3abd084f02d1abeb490a7437bfc4644f9a54ba.jpg" } }