{ "id": "14aa3f70-5ec7-41ec-87fc-9c9d1086e6aa", "created_at": "2026-04-06T00:15:06.779349Z", "updated_at": "2026-04-10T03:33:45.875031Z", "deleted_at": null, "sha1_hash": "bb5d53cbfa423b4869f04c36f12d17715dde7ad1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54571, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:17:32 UTC\r\nHome \u003e List all groups \u003e LookBack, TA410\r\n APT group: LookBack, TA410\r\nNames\r\nLookBack (Proofpoint)\r\nTA410 (Proofpoint)\r\nWitchetty (Symantec)\r\nLookingFrog (ESET)\r\nFlowingFrog (ESET)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription\r\n(Proofpoint) Between July 19 and July 25, 2019, several spear phishing emails were\r\nidentified targeting three US companies in the utilities sector. The phishing emails\r\nappeared to impersonate a US-based engineering licensing board with emails\r\noriginating from what appears to be an actor-controlled\r\ndomain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain\r\nowned by the US National Council of Examiners for Engineering and Surveying.\r\nThe emails contain a malicious Microsoft Word attachment that uses macros to\r\ninstall and run malware that Proofpoint researchers have dubbed “LookBack.” This\r\nmalware consists of a remote access Trojan (RAT) module and a proxy mechanism\r\nused for command and control (C\u0026C) communication.  We believe this may be the\r\nwork of a state-sponsored APT actor based on overlaps with historical campaigns\r\nand macros utilized. The utilization of this distinct delivery methodology coupled\r\nwith unique LookBack malware highlights the continuing threats posed by\r\nsophisticated adversaries to utilities systems and critical infrastructure providers.\r\nProofpoint found similarities in malware delivery with Stone Panda, APT 10,\r\nmenuPass, but those may have been false flags.\r\nObserved\r\nSectors: Energy, Utilities.\r\nCountries: USA and Middle East and Africa.\r\nTools used FlowCloud, GUP Proxy Tool, SodomMain, SodomNormal.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0cd75659-1c39-4647-8781-3e65d79f2cd5\r\nPage 1 of 2\n\nOperations performed\nJul 2019\nAt the same time as the LookBack campaigns, Proofpoint researchers\nidentified a new, additional malware family named FlowCloud that\nwas also being delivered to U.S. utilities providers.\nAug 2019\nLookBack Forges Ahead: Continued Targeting of the United States’\nUtilities Sector Reveals Additional Adversary TTPs\nFeb 2022\nWitchetty: Group Uses Updated Toolset in Attacks on Governments\nin Middle East\nInformation\nLast change to this card: 29 November 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0cd75659-1c39-4647-8781-3e65d79f2cd5\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0cd75659-1c39-4647-8781-3e65d79f2cd5\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0cd75659-1c39-4647-8781-3e65d79f2cd5" ], "report_names": [ "showcard.cgi?u=0cd75659-1c39-4647-8781-3e65d79f2cd5" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb5d53cbfa423b4869f04c36f12d17715dde7ad1.pdf", "text": "https://archive.orkl.eu/bb5d53cbfa423b4869f04c36f12d17715dde7ad1.txt", "img": "https://archive.orkl.eu/bb5d53cbfa423b4869f04c36f12d17715dde7ad1.jpg" } }