{ "id": "be422c23-aa35-4986-a3e1-8e25bdf925fb", "created_at": "2026-04-06T00:11:13.78161Z", "updated_at": "2026-04-10T13:11:21.222915Z", "deleted_at": null, "sha1_hash": "ae5b7157b297f4f5c6e10ae30b7a26a625920db2", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43583, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:15:05 UTC\r\n APT group: TA2722\r\nNames\r\nTA2722 (Proofpoint)\r\nBalikbayan Foxes (Proofpoint)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription\r\n(Proofpoint) Proofpoint identified a new and highly active cybercriminal threat actor, TA2722,\r\ncolloquially referred to by Proofpoint threat researchers as the Balikbayan Foxes. Throughout\r\n2021, a series of campaigns impersonated multiple Philippine government entities including\r\nthe Department of Health, the Philippine Overseas Employment Administration (POEA), and\r\nthe Bureau of Customs. Other related campaigns masqueraded as the Manila embassy for the\r\nKingdom of Saudi Arabia (KSA) and DHL Philippines. The messages were intended for a\r\nvariety of industries in North America, Europe, and Southeast Asia, with the top sectors\r\nincluding Shipping, Logistics, Manufacturing, Business Services, Pharmaceutical, Energy, and\r\nFinance.\r\nObserved\r\nSectors: Energy, Financial, Manufacturing, Pharmaceutical, Shipping and Logistics.\r\nCountries: USA and Europe and Southeast Asia.\r\nTools used NanoCore RAT, RemcosRAT.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\u003e\r\nLast change to this card: 04 November 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6b9f8bf4-afdf-4ff4-bc59-9dc4f9dea767\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6b9f8bf4-afdf-4ff4-bc59-9dc4f9dea767\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6b9f8bf4-afdf-4ff4-bc59-9dc4f9dea767" ], "report_names": [ "showcard.cgi?u=6b9f8bf4-afdf-4ff4-bc59-9dc4f9dea767" ], "threat_actors": [ { "id": "8259735e-8dd0-462f-80ff-c265fa839b76", "created_at": "2024-02-06T02:00:04.110337Z", "updated_at": "2026-04-10T02:00:03.57093Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "MISPGALAXY:TA2722", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dbd3195-22ca-47c4-a3f1-aa058b06a1d9", "created_at": "2022-10-25T16:07:24.269634Z", "updated_at": "2026-04-10T02:00:04.917125Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "ETDA:TA2722", "tools": [ "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434273, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae5b7157b297f4f5c6e10ae30b7a26a625920db2.pdf", "text": "https://archive.orkl.eu/ae5b7157b297f4f5c6e10ae30b7a26a625920db2.txt", "img": "https://archive.orkl.eu/ae5b7157b297f4f5c6e10ae30b7a26a625920db2.jpg" } }