{
	"id": "f4d535f4-9333-4666-97b9-c563f947330a",
	"created_at": "2026-04-06T00:14:51.799678Z",
	"updated_at": "2026-04-10T03:36:50.270735Z",
	"deleted_at": null,
	"sha1_hash": "ae6198abb7781ae2f96b8a3363073235765238ba",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50026,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:04:37 UTC\nHome \u003e List all groups \u003e Operation RusticWeb\n APT group: Operation RusticWeb\nNames Operation RusticWeb (Seqrite)\nCountry Pakistan\nMotivation Information theft and espionage\nFirst seen 2023\nDescription\n(Seqrite) SEQRITE Labs APT-Team has uncovered a phishing campaign targeting various\nIndian government personnel since October 2023. We have also identified targeting of both\ngovernment and private entities in the defence sector over December. New Rust-based\npayloads and encrypted PowerShell commands have been utilized to exfiltrate confidential\ndocuments to a web-based service engine, instead of a dedicated command-and-control (C2)\nserver. With actively modifying its arsenal, it has also used fake domains to host malicious\npayloads and decoy files.\nThis campaign is tracked as Operation RusticWeb, where multiple TTPs overlap with\nPakistan-linked APT groups – Transparent Tribe, APT 36 and SideCopy. It also has similarities\nwith Operation Armor Piercer report released by Cisco in 2021, and the targeting with the\nESSA scholarship form of AWES was observed by our team back in the same year.\nObserved\nSectors: Defense, Government.\nCountries: India.\nTools used\nInformation\nLast change to this card: 16 January 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=04d557ae-7b7a-4aa2-9484-340b00a7ce08\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=04d557ae-7b7a-4aa2-9484-340b00a7ce08\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=04d557ae-7b7a-4aa2-9484-340b00a7ce08"
	],
	"report_names": [
		"showcard.cgi?u=04d557ae-7b7a-4aa2-9484-340b00a7ce08"
	],
	"threat_actors": [
		{
			"id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc",
			"created_at": "2022-10-27T08:27:12.955905Z",
			"updated_at": "2026-04-10T02:00:05.376527Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"SideCopy"
			],
			"source_name": "MITRE:SideCopy",
			"tools": [
				"AuTo Stealer",
				"Action RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "403c7091-ccdd-4a76-94ad-27eb61449336",
			"created_at": "2024-01-18T02:02:34.407633Z",
			"updated_at": "2026-04-10T02:00:04.829369Z",
			"deleted_at": null,
			"main_name": "Operation RusticWeb",
			"aliases": [],
			"source_name": "ETDA:Operation RusticWeb",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00",
			"created_at": "2023-01-06T13:46:39.30167Z",
			"updated_at": "2026-04-10T02:00:03.280161Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [],
			"source_name": "MISPGALAXY:SideCopy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b01b0683-5c7c-4070-ba0c-4fdede370995",
			"created_at": "2022-10-25T16:07:23.925692Z",
			"updated_at": "2026-04-10T02:00:04.79318Z",
			"deleted_at": null,
			"main_name": "Operation Armor Piercer",
			"aliases": [],
			"source_name": "ETDA:Operation Armor Piercer",
			"tools": [
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Recam",
				"Warzone",
				"Warzone RAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b584b10a-7d54-4d05-9e21-b223563df7b8",
			"created_at": "2022-10-25T16:07:24.181589Z",
			"updated_at": "2026-04-10T02:00:04.892659Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"G1008",
				"Mocking Draco",
				"TAG-140",
				"UNC2269",
				"White Dev 55"
			],
			"source_name": "ETDA:SideCopy",
			"tools": [
				"ActionRAT",
				"AllaKore",
				"Allakore RAT",
				"AresRAT",
				"Bladabindi",
				"CetaRAT",
				"DetaRAT",
				"EpicenterRAT",
				"Jorik",
				"Lilith",
				"Lilith RAT",
				"MargulasRAT",
				"ReverseRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775792210,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae6198abb7781ae2f96b8a3363073235765238ba.pdf",
		"text": "https://archive.orkl.eu/ae6198abb7781ae2f96b8a3363073235765238ba.txt",
		"img": "https://archive.orkl.eu/ae6198abb7781ae2f96b8a3363073235765238ba.jpg"
	}
}