{
	"id": "eb4a8a63-a3ce-4087-917e-2ce6aacfd12e",
	"created_at": "2026-04-06T01:29:20.350511Z",
	"updated_at": "2026-04-10T03:36:00.003668Z",
	"deleted_at": null,
	"sha1_hash": "ae00a616d55d5ef5c8ad29db386e0c765d31493a",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65489,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:16:27 UTC\r\nHome \u003e List all groups \u003e Bronze Highland\r\n APT group: Bronze Highland\r\nNames\r\nBronze Highland (SecureWorks)\r\nEvasive Panda (Malwarebytes)\r\nDaggerfly (Symantec)\r\nStorm Cloud (Volexity)\r\nStormBamboo (Volexity)\r\nTAG-102 (Recorded Future)\r\nTAG-112 (Recorded Future)\r\nDigging Taurus (Palo Alto)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\n(SecureWorks) BRONZE HIGHLAND has been observed using spearphishing as an\r\ninitial infection vector to deploy the MgBot remote access trojan against targets in\r\nHong Kong. Third party reporting suggests the threat group also targets India,\r\nMalaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU\r\nresearchers assess with moderate confidence that BRONZE HIGHLAND operates\r\non behalf of China and has a remit covering espionage against domestic human\r\nrights and pro-democracy advocates and nations neighbouring China.\r\nObserved\r\nSectors: Telecommunications and human rights and pro-democracy advocates.\r\nCountries: China, Hong Kong, India, Macao, Malaysia, Myanmar, Nigeria,\r\nPhilippines, Taiwan, Tibet, Vietnam and Africa.\r\nTools used\r\nCloudScout, Cobalt Strike, GIMMICK, Nightdoor, Macma, MgBot, KsRemote,\r\nRELOADEXT, Living off the Land.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8c9d0ce1-0e92-4de2-b8e0-053b16ad37ed\r\nPage 1 of 2\n\nOperations performed\n2020\nEvasive Panda APT group delivers malware via updates for popular\nChinese software\nLate 2021\nStorm Cloud on the Horizon: GIMMICK Malware Strikes at macOS\n2022\nCloudScout: Evasive Panda scouting cloud services\nNov 2022\nDaggerfly: APT Actor Targets Telecoms Company in Africa\nMid 2023\nStormBamboo Compromises ISP to Abuse Insecure Software Update\nMechanisms\nSep 2023\nEvasive Panda leverages Monlam Festival to target Tibetans\nMay 2024\nChina-Nexus TAG-112 Compromises Tibetan Websites to Distribute\nCobalt Strike\nJul 2024\nDaggerfly: Espionage Group Makes Major Update to Toolset\nInformation\nLast change to this card: 27 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8c9d0ce1-0e92-4de2-b8e0-053b16ad37ed\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8c9d0ce1-0e92-4de2-b8e0-053b16ad37ed\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8c9d0ce1-0e92-4de2-b8e0-053b16ad37ed"
	],
	"report_names": [
		"showcard.cgi?u=8c9d0ce1-0e92-4de2-b8e0-053b16ad37ed"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f35997d9-ca1e-453f-b968-0e675cc16d97",
			"created_at": "2023-01-06T13:46:39.490819Z",
			"updated_at": "2026-04-10T02:00:03.345364Z",
			"deleted_at": null,
			"main_name": "Evasive Panda",
			"aliases": [
				"BRONZE HIGHLAND"
			],
			"source_name": "MISPGALAXY:Evasive Panda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a",
			"created_at": "2024-11-01T02:00:52.763555Z",
			"updated_at": "2026-04-10T02:00:05.263997Z",
			"deleted_at": null,
			"main_name": "Daggerfly",
			"aliases": [
				"Daggerfly",
				"Evasive Panda",
				"BRONZE HIGHLAND"
			],
			"source_name": "MITRE:Daggerfly",
			"tools": [
				"PlugX",
				"MgBot",
				"BITSAdmin",
				"MacMa",
				"Nightdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474",
			"created_at": "2023-11-21T02:00:07.393519Z",
			"updated_at": "2026-04-10T02:00:03.477407Z",
			"deleted_at": null,
			"main_name": "Storm Cloud",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm Cloud",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7",
			"created_at": "2023-01-06T13:46:39.413725Z",
			"updated_at": "2026-04-10T02:00:03.31882Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Evasive Panda",
				"Daggerfly"
			],
			"source_name": "MISPGALAXY:BRONZE HIGHLAND",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0ed62b86-b1a8-4463-a157-1db21e91e7f4",
			"created_at": "2024-11-16T02:00:03.81128Z",
			"updated_at": "2026-04-10T02:00:03.770291Z",
			"deleted_at": null,
			"main_name": "TAG-112",
			"aliases": [],
			"source_name": "MISPGALAXY:TAG-112",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7",
			"created_at": "2022-10-25T16:07:23.422755Z",
			"updated_at": "2026-04-10T02:00:04.592069Z",
			"deleted_at": null,
			"main_name": "Bronze Highland",
			"aliases": [
				"Daggerfly",
				"Digging Taurus",
				"Evasive Panda",
				"Storm Cloud",
				"StormBamboo",
				"TAG-102",
				"TAG-112"
			],
			"source_name": "ETDA:Bronze Highland",
			"tools": [
				"Agentemis",
				"CDDS",
				"CloudScout",
				"Cobalt Strike",
				"CobaltStrike",
				"DazzleSpy",
				"KsRemote",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MacMa",
				"Macma",
				"MgBot",
				"Mgmbot",
				"NetMM",
				"Nightdoor",
				"OSX.CDDS",
				"POCOSTICK",
				"RELOADEXT",
				"Suzafk",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f7d2815-7504-4818-bf8d-bba18161b111",
			"created_at": "2025-08-07T02:03:24.613342Z",
			"updated_at": "2026-04-10T02:00:03.732192Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Daggerfly",
				"Daggerfly ",
				"Evasive Panda ",
				"Evasive Panda ",
				"Storm Bamboo "
			],
			"source_name": "Secureworks:BRONZE HIGHLAND",
			"tools": [
				"Cobalt Strike",
				"KsRemote",
				"Macma",
				"MgBot",
				"Nightdoor",
				"PlugX"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438960,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae00a616d55d5ef5c8ad29db386e0c765d31493a.pdf",
		"text": "https://archive.orkl.eu/ae00a616d55d5ef5c8ad29db386e0c765d31493a.txt",
		"img": "https://archive.orkl.eu/ae00a616d55d5ef5c8ad29db386e0c765d31493a.jpg"
	}
}