{
	"id": "30839724-043b-4f53-8ebb-5cdc8470dbcb",
	"created_at": "2026-04-06T00:12:55.844883Z",
	"updated_at": "2026-04-10T13:12:16.864732Z",
	"deleted_at": null,
	"sha1_hash": "b12ae8b0abdfae60eb702039804acdcda8783cb3",
	"title": "Comment Crew, APT 1 - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85927,
	"plain_text": "Comment Crew, APT 1 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 16:35:46 UTC\r\nHome \u003e List all groups \u003e Comment Crew, APT 1\r\n APT group: Comment Crew, APT 1\r\nNames\r\nComment Crew (Symantec)\r\nComment Panda (CrowdStrike)\r\nTG-8223 (SecureWorks)\r\nAPT 1 (Mandiant)\r\nBrownFox (Symantec)\r\nGroup 3 (Talos)\r\nByzantine Hades (US State Department)\r\nByzantine Candor (US State Department)\r\nShanghai Group (SecureWorks)\r\nGIF89a (Kaspersky)\r\nG0006 (MITRE)\r\nCountry China\r\nSponsor\r\nState-sponsored, 2nd Bureau of the People’s Liberation Army (PLA) General Staff\r\nDepartment’s (GSD) 3rd Department, commonly known by its Military Unit Cover\r\nDesignator (MUCD) as Unit 61398\r\nMotivation Information theft and espionage\r\nFirst seen 2006\r\nDescription Also known as APT1, Comment Crew is an advanced persistent threat (APT) group\r\nwith links to the Chinese military. The threat actors, which were active from roughly\r\n2006 to 2010, managed to strike over 140 US companies in the quest for sensitive\r\ncorporate and intellectual property data.\r\nThe group earned their name through their use of HTML comments to hide\r\ncommunication to the command-and-control servers. The usual attack vector was via\r\nspear-phishing campaigns utilizing emails which contained documents with names\r\ntailored for the potential victims, such as\r\n“ArmyPlansConferenceOnNewGCVSolicitation.pdf,” or “Chinese Oil Executive\r\nLearning From Experience.doc.”\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b99367ed-e483-40a3-98d0-8d3a2102a4ab\r\nPage 1 of 3\n\nThis group may also be responsible for the Siesta campaign.\nObserved\nSectors: Aerospace, Chemical, Construction, Defense, Education, Energy,\nEngineering, Entertainment, Financial, Food and Agriculture, Government,\nHealthcare, High-Tech, IT, Manufacturing, Media, Mining, Non-profit organizations,\nResearch, Satellites, Telecommunications, Transportation and Navigation and\nlawyers.\nCountries: Belgium, Canada, France, India, Israel, Japan, Luxembourg, Norway,\nSingapore, South Africa, South Korea, Switzerland, Taiwan, UAE, UK, USA,\nVietnam.\nTools used\nAuriga, bangat, BISCUIT, Bouncer, Cachedump, CALENDAR, Combos,\nCookieBag, Dairy, GDOCUPLOAD, GetMail, GLASSES, GLOOXMAIL,\nGOGGLES, GREENCAT, gsecdump, Hackfase, Helauto, Kurton, LIGHTBOLT,\nLIGHTDART, LONGRUN, Lslsass, ManItsMe, MAPIget, Mimikatz, MiniASP,\nNewsReels, Oceansalt, Pass-The-Hash Toolkit, Poison Ivy, ProcDump, pwdump,\nSeasalt, ShadyRAT, StarsyPound, Sword, TabMsgSQL, Tarsip, WARP, WebC2,\nLiving off the Land.\nOperations performed\n2006/2010\nOperation “Seasalt”\nTarget: 140 US companies in the quest for sensitive corporate and\nintellectual property data.\nMethod: Spear-phishing with malicious documents.\nMar 2011\nBreach of RSA\nThey breached security systems designed to keep out intruders by\ncreating duplicates to “SecurID” electronic keys from EMC Corp’s\nEMC.N RSA security division, said the person who was not\nauthorized to publicly discuss the matter.\n2011/2012\nHackers Plundered Israeli Defense Firms that Built ‘Iron Dome’\nMissile Defense System\nFeb 2014 Operation “Siesta”\nFireEye recently looked deeper into the activity discussed in\nTrendMicro’s blog and dubbed the “Siesta” campaign. The tools,\nmodus operandi, and infrastructure used in the campaign present two\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b99367ed-e483-40a3-98d0-8d3a2102a4ab\nPage 2 of 3\n\npossibilities: either the Chinese cyberespionage unit APT 1 is\nperpetrating this activity, or another group is using the same tactics\nand tools as the legacy APT 1.\nMay 2018\nOperation “Oceansalt”\nTarget: Oceansalt appears to have been part of an operation targeting\nSouth Korea, United States, and Canada in a well-focused attack. A\nvariation of this malware has been distributed from two compromised\nsites in South Korea.\nMethod: Oceansalt appears to be the first stage of an advanced\npersistent threat. The malware can send system data to a control\nserver and execute commands on infected machines, but we do not\nyet know its ultimate purpose.\nNote: It is possible that this operation was not performed by the actual\nComment Crew group (as they are supposedly in jail).\nCounter operations May 2014\n5 in China Army Face U.S. Charges of Cyberattacks\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b99367ed-e483-40a3-98d0-8d3a2102a4ab\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b99367ed-e483-40a3-98d0-8d3a2102a4ab\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b99367ed-e483-40a3-98d0-8d3a2102a4ab"
	],
	"report_names": [
		"showcard.cgi?u=b99367ed-e483-40a3-98d0-8d3a2102a4ab"
	],
	"threat_actors": [
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9fa9633-dfd1-458d-84ce-cc36dcdc7ce4",
			"created_at": "2022-10-25T16:07:24.188897Z",
			"updated_at": "2026-04-10T02:00:04.894484Z",
			"deleted_at": null,
			"main_name": "Siesta",
			"aliases": [],
			"source_name": "ETDA:Siesta",
			"tools": [
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"Poison Ivy",
				"SPIVY",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9bb42e1-65d6-444e-8c63-21c2605b49e0",
			"created_at": "2023-01-06T13:46:38.887429Z",
			"updated_at": "2026-04-10T02:00:03.133382Z",
			"deleted_at": null,
			"main_name": "Siesta",
			"aliases": [],
			"source_name": "MISPGALAXY:Siesta",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b",
			"created_at": "2022-10-25T16:07:23.480196Z",
			"updated_at": "2026-04-10T02:00:04.626125Z",
			"deleted_at": null,
			"main_name": "Comment Crew",
			"aliases": [
				"APT 1",
				"BrownFox",
				"Byzantine Candor",
				"Byzantine Hades",
				"Comment Crew",
				"Comment Panda",
				"G0006",
				"GIF89a",
				"Group 3",
				"Operation Oceansalt",
				"Operation Seasalt",
				"Operation Siesta",
				"Shanghai Group",
				"TG-8223"
			],
			"source_name": "ETDA:Comment Crew",
			"tools": [
				"Auriga",
				"Cachedump",
				"Chymine",
				"CookieBag",
				"Darkmoon",
				"GDOCUPLOAD",
				"GLOOXMAIL",
				"GREENCAT",
				"Gen:Trojan.Heur.PT",
				"GetMail",
				"Hackfase",
				"Hacksfase",
				"Helauto",
				"Kurton",
				"LETSGO",
				"LIGHTBOLT",
				"LIGHTDART",
				"LOLBAS",
				"LOLBins",
				"LONGRUN",
				"Living off the Land",
				"Lslsass",
				"MAPIget",
				"ManItsMe",
				"Mimikatz",
				"MiniASP",
				"Oceansalt",
				"Pass-The-Hash Toolkit",
				"Poison Ivy",
				"ProcDump",
				"Riodrv",
				"SPIVY",
				"Seasalt",
				"ShadyRAT",
				"StarsyPound",
				"TROJAN.COOKIES",
				"TROJAN.FOXY",
				"TabMsgSQL",
				"Tarsip",
				"Trojan.GTALK",
				"WebC2",
				"WebC2-AdSpace",
				"WebC2-Ausov",
				"WebC2-Bolid",
				"WebC2-Cson",
				"WebC2-DIV",
				"WebC2-GreenCat",
				"WebC2-Head",
				"WebC2-Kt3",
				"WebC2-Qbp",
				"WebC2-Rave",
				"WebC2-Table",
				"WebC2-UGX",
				"WebC2-Yahoo",
				"Wordpress Bruteforcer",
				"bangat",
				"gsecdump",
				"pivy",
				"poisonivy",
				"pwdump",
				"zxdosml"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b12ae8b0abdfae60eb702039804acdcda8783cb3.pdf",
		"text": "https://archive.orkl.eu/b12ae8b0abdfae60eb702039804acdcda8783cb3.txt",
		"img": "https://archive.orkl.eu/b12ae8b0abdfae60eb702039804acdcda8783cb3.jpg"
	}
}