{
	"id": "5972b26e-1db0-4a47-817d-b746fe41f4a6",
	"created_at": "2026-04-06T00:13:45.213752Z",
	"updated_at": "2026-04-10T03:37:22.850069Z",
	"deleted_at": null,
	"sha1_hash": "b9368debc75824ef5a87bd0b18ade7d263e35335",
	"title": "APT 31, Judgment Panda, Zirconium",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73529,
	"plain_text": "APT 31, Judgment Panda, Zirconium\nArchived: 2026-04-05 22:51:06 UTC\nHome \u003e List all groups \u003e APT 31, Judgment Panda, Zirconium\n APT group: APT 31, Judgment Panda, Zirconium\nNames\nAPT 31 (Mandiant)\nJudgment Panda (CrowdStrike)\nZirconium (Microsoft)\nRedBravo (Recorded Future)\nBronze Vinewood (SecureWorks)\nTA412 (Proofpoint)\nViolet Typhoon (Microsoft)\nRed Keres (PWC)\nG0128 (MITRE)\nCountry China\nSponsor State-sponsored, Ministry of State Security\nMotivation Information theft and espionage\nFirst seen 2016\nDescription\nFireEye characterizes APT31 as an actor specialized on intellectual property theft,\nfocusing on data and projects that make a particular organization competetive in its\nfield. Based on available data (April 2016), FireEye assesses that APT31 conducts\nnetwork operations at the behest of the Chinese Government.\nAlso see Hafnium.\nObserved\nCountries: Belarus, Canada, Czech, Finland, France, Mongolia, Norway, Russia,\nUK, USA.\nTools used\n9002 RAT, China Chopper, Gh0st RAT, GrewApacha, HiKit, PlugX, Sakula RAT,\nTrochilus RAT.\nOperations performed\nSummer 2018\nNorway says Chinese group APT31 is behind catastrophic 2018\ngovernment hack\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3e29e0b-f472-4a46-bbb7-d328b2348fcf\nPage 1 of 3\n\nAug 2020\nNew cyberattacks targeting U.S. elections\nAutumn 2020\nFinnish Parliament attackers hack lawmakers’ email accounts\nEarly 2021\nTracing State-Aligned Activity Targeting Journalists, Media\nApr 2021\nAPT31 new dropper. Target destinations: Mongolia, Russia, the\nU.S., and elsewhere\nJul 2021\nFrance warns of APT31 cyberspies targeting French organizations\n2022\nCzechia blames China for Ministry of Foreign Affairs cyberattack\nFeb 2022\nIn February, we detected an APT31 phishing campaign targeting\nhigh profile Gmail users affiliated with the U.S. government.\nApr 2022\nHackers use new malware to breach air-gapped devices in Eastern\nEurope\nCounter operations Mar 2024 Treasury Sanctions China-Linked Hackers for Targeting U.S.\nCritical Infrastructure\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3e29e0b-f472-4a46-bbb7-d328b2348fcf\nPage 2 of 3\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3e29e0b-f472-4a46-bbb7-d328b2348fcf\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3e29e0b-f472-4a46-bbb7-d328b2348fcf\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3e29e0b-f472-4a46-bbb7-d328b2348fcf"
	],
	"report_names": [
		"showcard.cgi?u=e3e29e0b-f472-4a46-bbb7-d328b2348fcf"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434425,
	"ts_updated_at": 1775792242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9368debc75824ef5a87bd0b18ade7d263e35335.pdf",
		"text": "https://archive.orkl.eu/b9368debc75824ef5a87bd0b18ade7d263e35335.txt",
		"img": "https://archive.orkl.eu/b9368debc75824ef5a87bd0b18ade7d263e35335.jpg"
	}
}