{ "id": "b2b402cb-7900-4648-8ae2-93c1a5e4b478", "created_at": "2026-04-06T00:09:02.348352Z", "updated_at": "2026-04-10T03:24:29.563721Z", "deleted_at": null, "sha1_hash": "b7f73129c0c93c6db20d8b3fe12db49b01776934", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59803, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:35:39 UTC\n APT group: Safe\nNames Safe (Trend Micro)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2013\nDescription\n(Trend Micro) Whether considered advanced persistent threats (APTs) or malware-based\nespionage attacks, successful and long-term compromises of high-value organizations and\nenterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier”\ncampaigns are becoming increasingly well-known within the security community, new and\nsmaller campaigns are beginning to emerge.\nThis research paper documents the operations of a campaign we refer to as “Safe,” based on\nthe names of the malicious files used. It is an emerging and active targeted threat.\nWhile we have yet to determine the campaign’s total number of victims, it appears that nearly\n12,000 unique IP addresses spread over more than 100 countries were connected to two sets of\ncommand-and-control (C\u0026C) infrastructures related to Safe. We also discovered that the\naverage number of actual victims remained at 71 per day, with few if any changes from day to\nday. This indicates that the actual number of victims is far less than the number of unique IP\naddresses. Due to large concentrations of IP addresses within specific network blocks, it is\nlikely that the number of victims is even smaller and that they have dynamically assigned IP\naddresses, which have been compromised for some time now.\nObserved\nSectors: Education, Government, Media, NGOs, Technology.\nCountries: Algeria, Australia, Brazil, Bulgaria, Canada, China, Egypt, Hungary, India,\nMalaysia, Mongolia, Pakistan, Philippines, Romania, Russia, Saudi Arabia, Serbia, South\nKorea, South Sudan, Syria, UAE, USA.\nTools used\nDebugView, LZ77, OpenDoc, Safe, TypeConfig, UPXShell, UsbDoc, UsbExe and an MS\nOffice 0-day exploit.\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0390e00-c32a-40e7-8518-3fcca0dd6e84\nPage 1 of 2\n\n\u003chttps://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0390e00-c32a-40e7-8518-3fcca0dd6e84\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0390e00-c32a-40e7-8518-3fcca0dd6e84\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f0390e00-c32a-40e7-8518-3fcca0dd6e84" ], "report_names": [ "showcard.cgi?u=f0390e00-c32a-40e7-8518-3fcca0dd6e84" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434142, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7f73129c0c93c6db20d8b3fe12db49b01776934.pdf", "text": "https://archive.orkl.eu/b7f73129c0c93c6db20d8b3fe12db49b01776934.txt", "img": "https://archive.orkl.eu/b7f73129c0c93c6db20d8b3fe12db49b01776934.jpg" } }