{
	"id": "25f7fdfa-0cb3-46b2-b453-7c5998e7e273",
	"created_at": "2026-04-06T03:37:23.188811Z",
	"updated_at": "2026-04-10T03:34:13.714451Z",
	"deleted_at": null,
	"sha1_hash": "aef70d0f1f2a4a9669c644ae06cbe7869f41b1cb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45759,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 02:57:51 UTC\r\n APT group: Carderbee\r\nNames Carderbee (Symantec)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2023\r\nDescription\r\n(Symantec) A previously unknown advanced persistent threat (APT) group used the legitimate\r\nCobra DocGuard software to carry out a supply chain attack with the goal of deploying the\r\nKorplug backdoor (aka PlugX) onto victim computers.\r\nIn the course of this attack, the attackers used malware signed with a legitimate Microsoft\r\ncertificate. Most of the victims in this campaign are based in Hong Kong, with some victims\r\nbased in other regions of Asia.\r\nKorplug is known to be used by multiple APT groups, but we could not link this activity to a\r\nknown threat actor so we have given the actor behind this activity a new name — Carderbee.\r\nObserved Countries: Hong Kong and Asia.\r\nTools used Cobra DocGuard, PlugX.\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse\u003e\r\nLast change to this card: 06 September 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=15acd737-0ced-4e06-a285-42e1390d5452\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=15acd737-0ced-4e06-a285-42e1390d5452\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=15acd737-0ced-4e06-a285-42e1390d5452"
	],
	"report_names": [
		"showcard.cgi?u=15acd737-0ced-4e06-a285-42e1390d5452"
	],
	"threat_actors": [
		{
			"id": "e737c474-a1f2-4e18-9d78-1c00f0887fa0",
			"created_at": "2023-11-05T02:00:08.085728Z",
			"updated_at": "2026-04-10T02:00:03.401539Z",
			"deleted_at": null,
			"main_name": "Carderbee",
			"aliases": [],
			"source_name": "MISPGALAXY:Carderbee",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "17cfc7a6-c8f2-4806-b77f-ba23fb772e70",
			"created_at": "2023-09-07T02:02:47.182792Z",
			"updated_at": "2026-04-10T02:00:04.604605Z",
			"deleted_at": null,
			"main_name": "Carderbee",
			"aliases": [],
			"source_name": "ETDA:Carderbee",
			"tools": [
				"Agent.dhwf",
				"Cobra DocGuard",
				"Destroy RAT",
				"DestroyRAT",
				"Kaba",
				"Korplug",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446643,
	"ts_updated_at": 1775792053,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aef70d0f1f2a4a9669c644ae06cbe7869f41b1cb.pdf",
		"text": "https://archive.orkl.eu/aef70d0f1f2a4a9669c644ae06cbe7869f41b1cb.txt",
		"img": "https://archive.orkl.eu/aef70d0f1f2a4a9669c644ae06cbe7869f41b1cb.jpg"
	}
}