{ "id": "2019235a-da89-4d4e-9f6f-13514d7cfa3e", "created_at": "2026-04-06T00:08:20.577467Z", "updated_at": "2026-04-10T13:13:00.03559Z", "deleted_at": null, "sha1_hash": "bec8f54ee1d6bb851120e2f4a9c94702b7e5bf00", "title": "0558 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52213, "plain_text": "0558 - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:36:31 UTC\n APT group: Storm-0558\nNames\nStorm-0558 (Microsoft)\nAntique Typhoon (Microsoft)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2023\nDescription\n(Microsoft) Historically, this threat actor has displayed an interest in targeting media\ncompanies, think tanks, and telecommunications equipment and service providers. The\nobjective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts\nbelonging to employees of targeted organizations. Storm-0558 pursues this objective through\ncredential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has\ndisplayed an interest in OAuth applications, token theft, and token replay against Microsoft\naccounts since at least August 2021. Storm-0558 operates with a high degree of technical\ntradecraft and operational security. The actors are keenly aware of the target’s environment,\nlogging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling\nand reconnaissance activity suggests the actor is technically adept, well resourced, and has an\nin-depth understanding of many authentication techniques and applications.\nWhile we have discovered some minimal overlaps with other Chinese groups such as Violet\nTyphoon (APT 31, Judgment Panda, Zirconium), we maintain high confidence that Storm-0558 operates as its own distinct group.\nObserved\nSectors: Government, Media, Telecommunications, Think Tanks and individuals connected to\nTaiwan and Uyghur geopolitical interests.\nCountries: USA and Europe.\nTools used China Chopper.\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=23e2ccea-9daa-415a-a72d-b242bbdb3782\nPage 1 of 2\n\nLast change to this card: 28 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=23e2ccea-9daa-415a-a72d-b242bbdb3782\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=23e2ccea-9daa-415a-a72d-b242bbdb3782\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=23e2ccea-9daa-415a-a72d-b242bbdb3782" ], "report_names": [ "showcard.cgi?u=23e2ccea-9daa-415a-a72d-b242bbdb3782" ], "threat_actors": [ { "id": "86fb4ddd-989e-4613-8db8-ca646c553aae", "created_at": "2023-11-01T02:00:07.404201Z", "updated_at": "2026-04-10T02:00:03.381034Z", "deleted_at": null, "main_name": "Storm-0558", "aliases": [], "source_name": "MISPGALAXY:Storm-0558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c762729-56f7-48d5-8fb0-b64a43716319", "created_at": "2023-09-07T02:02:47.944899Z", "updated_at": "2026-04-10T02:00:04.907587Z", "deleted_at": null, "main_name": "Storm-0558", "aliases": [ "Antique Typhoon" ], "source_name": "ETDA:Storm-0558", "tools": [ "CHINACHOPPER", "China Chopper", "SinoChopper" ], "source_id": "ETDA", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434100, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bec8f54ee1d6bb851120e2f4a9c94702b7e5bf00.pdf", "text": "https://archive.orkl.eu/bec8f54ee1d6bb851120e2f4a9c94702b7e5bf00.txt", "img": "https://archive.orkl.eu/bec8f54ee1d6bb851120e2f4a9c94702b7e5bf00.jpg" } }