{
	"id": "10319593-ee5b-4216-a66e-2ca34e7a69a4",
	"created_at": "2026-04-06T00:10:43.332915Z",
	"updated_at": "2026-04-10T03:32:34.634523Z",
	"deleted_at": null,
	"sha1_hash": "ae07fffbccebabe2062b52a3380e49d11f38a1df",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52863,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:21:15 UTC\n APT group: TA459\nNames\nTA459 (Proofpoint)\nG0062 (MITRE)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2017\nDescription\n(Proofpoint) On April 20 [2017], Proofpoint observed a targeted campaign focused\non financial analysts working at top global financial firms operating in Russia and\nneighboring countries. These analysts were linked by their coverage of the\ntelecommunications industry, making this targeting very similar to, and likely a\ncontinuation of, activity described in our “In Pursuit of Optical Fibers and Troop\nIntel” blog. This time, however, attackers opportunistically used spear-phishing\nemails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote\nAccess Trojan (RAT).\nProofpoint is tracking this attacker, believed to operate out of China, as TA459. The\nactor typically targets Central Asian countries, Russia, Belarus, Mongolia, and\nothers. TA549 possesses a diverse malware arsenal including PlugX, NetTraveler,\nand ZeroT.\nObserved\nSectors: Financial, Telecommunications and journalists.\nCountries: Belarus, Mongolia, Russia and Central Asia others.\nTools used Gh0st RAT, NetTraveler, PlugX, ZeroT.\nOperations performed Apr 2022\nTracing State-Aligned Activity Targeting Journalists, Media\nInformation MITRE ATT\u0026CK Last change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=da14ab64-16ed-4d61-93a7-69cf3f06115d\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=da14ab64-16ed-4d61-93a7-69cf3f06115d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=da14ab64-16ed-4d61-93a7-69cf3f06115d\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=da14ab64-16ed-4d61-93a7-69cf3f06115d"
	],
	"report_names": [
		"showcard.cgi?u=da14ab64-16ed-4d61-93a7-69cf3f06115d"
	],
	"threat_actors": [
		{
			"id": "7041fcf5-b34d-47c3-be4c-3c40f243af89",
			"created_at": "2023-01-06T13:46:38.611261Z",
			"updated_at": "2026-04-10T02:00:03.038745Z",
			"deleted_at": null,
			"main_name": "TA459",
			"aliases": [
				"G0062"
			],
			"source_name": "MISPGALAXY:TA459",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680",
			"created_at": "2022-10-25T16:07:23.899157Z",
			"updated_at": "2026-04-10T02:00:04.782542Z",
			"deleted_at": null,
			"main_name": "NetTraveler",
			"aliases": [
				"APT 21",
				"Hammer Panda",
				"NetTraveler",
				"TEMP.Zhenbao"
			],
			"source_name": "ETDA:NetTraveler",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"Kaba",
				"Korplug",
				"NetTraveler",
				"Netfile",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"TravNet",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0bf35542-9ebc-44a9-b319-b6df0bee4bac",
			"created_at": "2022-10-25T15:50:23.437853Z",
			"updated_at": "2026-04-10T02:00:05.36762Z",
			"deleted_at": null,
			"main_name": "TA459",
			"aliases": [
				"TA459"
			],
			"source_name": "MITRE:TA459",
			"tools": [
				"gh0st RAT",
				"NetTraveler",
				"PlugX",
				"ZeroT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "802552ac-1f16-4b85-8d78-76d683684124",
			"created_at": "2022-10-25T16:07:24.28032Z",
			"updated_at": "2026-04-10T02:00:04.920517Z",
			"deleted_at": null,
			"main_name": "TA459",
			"aliases": [
				"G0062"
			],
			"source_name": "ETDA:TA459",
			"tools": [
				"Agent.dhwf",
				"AngryRebel",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Kaba",
				"Korplug",
				"Moudour",
				"Mydoor",
				"NetTraveler",
				"Netfile",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"TravNet",
				"Xamtrav",
				"ZeroT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "254f2fab-5834-4d90-9205-d80e63d6d867",
			"created_at": "2023-01-06T13:46:38.31544Z",
			"updated_at": "2026-04-10T02:00:02.924166Z",
			"deleted_at": null,
			"main_name": "APT21",
			"aliases": [
				"HAMMER PANDA",
				"TEMP.Zhenbao",
				"NetTraveler"
			],
			"source_name": "MISPGALAXY:APT21",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434243,
	"ts_updated_at": 1775791954,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae07fffbccebabe2062b52a3380e49d11f38a1df.pdf",
		"text": "https://archive.orkl.eu/ae07fffbccebabe2062b52a3380e49d11f38a1df.txt",
		"img": "https://archive.orkl.eu/ae07fffbccebabe2062b52a3380e49d11f38a1df.jpg"
	}
}