{ "id": "b04a4abd-1523-4056-b997-e59914ee78f4", "created_at": "2026-04-06T00:15:47.933616Z", "updated_at": "2026-04-10T13:11:49.219846Z", "deleted_at": null, "sha1_hash": "b967440402e7cdfa2fddc03a95dff778841036f6", "title": "Elephant Beetle - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46464, "plain_text": "Elephant Beetle - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:49:55 UTC\r\nHome \u003e List all groups \u003e Elephant Beetle\r\n APT group: Elephant Beetle\r\nNames\r\nElephant Beetle (Sygnia)\r\nTG2003 (Sygnia)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2020\r\nDescription\r\n(Sygnia) For the past two years, Sygnia’s Incident Response (IR) team has been tracking a\r\nfinancially motivated threat group targeting and infiltrating organizations from the finance and\r\ncommerce sector in Latin America.\r\nThe attack is relentless in its ingenious simplicity serving as an ideal tactic to hide in plain\r\nsight, without any need to develop exploits.\r\nUsing an arsenal of over 80 unique tools \u0026 scripts, the group executes its attacks patiently over\r\nlong periods of time, blending in with the target’s environment and going completely\r\nundetected while it quietly liberates organizations of exorbitant amounts of money. We are\r\ndubbing this group – Elephant Beetle.\r\nElephant Beetle seems to primarily focus on the Latin American market, but that doesn’t mean\r\nthat organizations that are not based there are safe. Sygnia’s IR team discovered and responded\r\nto an incident at a U.S. based company with an operations branch in Latin America. As such,\r\nboth regional and global organizations should be on their guard.\r\nThe group is highly proficient with Java based attacks and, in many cases, target legacy Java\r\napplications running on Linux-based machines as the means for initial entry to the network.\r\nNot only that, the group even deploys their own complete Java Web Application on the victim\r\nmachine to do their bidding while the machine also runs the intentional application.\r\nThis report is a technical play-by-play of the Elephant Beetle attack as detected, observed and\r\nmitigated by Sygnia’s IR team. Elephant Beetle resembles the group tracked by Mandiant as\r\nFIN13.\r\nObserved\r\nSectors: Financial.\r\nCountries: Latin America.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=fcae2e45-8caf-4b63-8e4c-075b07815c12\r\nPage 1 of 2\n\nTools used jsp File browser, JSPSPY, MiniWebCmdShell, reGeorg.\r\nInformation \u003chttps://f.hubspotusercontent30.net/hubfs/8776530/Sygnia- Elephant Beetle_Jan2022.pdf\u003e\r\nLast change to this card: 25 January 2022\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fcae2e45-8caf-4b63-8e4c-075b07815c12\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=fcae2e45-8caf-4b63-8e4c-075b07815c12\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fcae2e45-8caf-4b63-8e4c-075b07815c12" ], "report_names": [ "showcard.cgi?u=fcae2e45-8caf-4b63-8e4c-075b07815c12" ], "threat_actors": [ { "id": "575d8adf-f451-4110-b1c0-89fb463e99c0", "created_at": "2022-10-25T16:07:23.637493Z", "updated_at": "2026-04-10T02:00:04.696832Z", "deleted_at": null, "main_name": "FIN13", "aliases": [], "source_name": "ETDA:FIN13", "tools": [ "BLUEAGAVE", "BUSTEDPIPE", "CLOSEWATCH", "GetUserSPNS.vbs", "GoBot2", "HOTLANE", "JSPRAT", "MAILSLOT", "PowerSploit", "ProcDump", "SHELLSWEEP", "SIXPACK", "SPINOFF", "SWEARJAR", "Tiny SHell", "nmap", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "50b43f44-b93c-4377-82bc-d6e9c7ef5ee6", "created_at": "2022-10-25T16:07:23.573424Z", "updated_at": "2026-04-10T02:00:04.673762Z", "deleted_at": null, "main_name": "Elephant Beetle", "aliases": [ "TG2003" ], "source_name": "ETDA:Elephant Beetle", "tools": [ "JSPSPY", "MiniWebCmdShell", "jsp File browser", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "7aa1288a-61ec-4793-b543-9fedc26b9b03", "created_at": "2023-11-01T02:01:06.805323Z", "updated_at": "2026-04-10T02:00:05.331884Z", "deleted_at": null, "main_name": "FIN13", "aliases": [ "FIN13", "Elephant Beetle" ], "source_name": "MITRE:FIN13", "tools": [ "Impacket", "Mimikatz", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f57e32ac-9f90-471d-93ba-7f6d8b05e6c1", "created_at": "2023-01-06T13:46:39.29882Z", "updated_at": "2026-04-10T02:00:03.279184Z", "deleted_at": null, "main_name": "FIN13", "aliases": [ "TG2003", "Elephant Beetle" ], "source_name": "MISPGALAXY:FIN13", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434547, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b967440402e7cdfa2fddc03a95dff778841036f6.pdf", "text": "https://archive.orkl.eu/b967440402e7cdfa2fddc03a95dff778841036f6.txt", "img": "https://archive.orkl.eu/b967440402e7cdfa2fddc03a95dff778841036f6.jpg" } }