{
	"id": "c3f7173c-7ebd-4166-96e6-007160695700",
	"created_at": "2026-04-06T00:14:57.310318Z",
	"updated_at": "2026-04-10T03:36:13.914932Z",
	"deleted_at": null,
	"sha1_hash": "bfd169da180b1bc33b4c59da11011f3285bda453",
	"title": "Bronze Butler, Tick, RedBaldNight, Stalker Panda",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78152,
	"plain_text": "Bronze Butler, Tick, RedBaldNight, Stalker Panda\r\nArchived: 2026-04-05 15:24:52 UTC\r\nHome \u003e List all groups \u003e Bronze Butler, Tick, RedBaldNight, Stalker Panda\r\n APT group: Bronze Butler, Tick, RedBaldNight, Stalker Panda\r\nNames\r\nBronze Butler (SecureWorks)\r\nCTG-2006 (SecureWorks)\r\nTick (Symantec)\r\nTEMP.Tick (FireEye)\r\nRedBaldNight (Trend Micro)\r\nStalker Panda (Crowdstrike)\r\nStalker Taurus (Palo Alto)\r\nSwirl Typhoon (Microsoft)\r\nG0060 (MITRE)\r\nCountry China\r\nSponsor State-sponsored, National University of Defense and Technology\r\nMotivation Information theft and espionage\r\nFirst seen 2006\r\nDescription\r\n(SecureWorks) CTU analysis indicates that Bronze Butler primarily targets\r\norganizations located in Japan. The threat group has sought unauthorized access to\r\nnetworks of organizations associated with critical infrastructure, heavy industry,\r\nmanufacturing, and international relations. Secureworks analysts have observed\r\nBronze Bulter exfiltrating the following categories of data:\r\n• Intellectual property related to technology and development\r\n• Product specification\r\n• Sensitive business and sales-related information\r\n• Network and system configuration files\r\n• Email messages and meeting minutes\r\nThe focus on intellectual property, product details, and corporate information\r\nsuggests that the group seeks information that they believe might be of value to\r\ncompeting organizations. The diverse targeting suggests that Bronze Bulter may be\r\ntasked by multiple teams or organizations with varying priorities.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=334d9e0e-dab2-4bc5-8db2-5ab016f36947\r\nPage 1 of 3\n\nObserved\nSectors: Critical infrastructure, Defense, Engineering, Government, High-Tech,\nIndustrial, Manufacturing, Media, Technology and International relations.\nCountries: China, Hong Kong, Japan, Russia, Singapore, South Korea, Taiwan,\nUSA.\nTools used\n9002 RAT, 8.t Dropper, Blogspot, Daserf, Datper, Elirks, Gh0st RAT, gsecdump,\nHomamDownloader, Lilith RAT, Mimikatz, Minzen, rarstar, ShadowPad Winnti,\nSymonLoader, Windows Credentials Editor.\nOperations performed\nJul 2015\nSymantec discovered the most recent wave of Tick attacks in July\n2015, when the group compromised three different Japanese websites\nwith a Flash (.swf) exploit to mount watering hole attacks. Visitors to\nthese websites were infected with a downloader known as Gofarer\n(Downloader.Gofarer). Gofarer collects information about the\ncompromised computer and then downloads and installs Daserf.\nApr 2017\nWali is a backdoor used for targeted attacks. It gathers information\nabout the compromised machines and their networks, in addition to\nstealing sensitive information and credentials. Wali’s operators use this\ninformation to move laterally in an organization and compromise more\nmachines.\nNov 2017\nDaserf’s infection chain accordingly evolved, as shown below. It has\nseveral methods for infecting its targets of interest: spear phishing\nemails, watering hole attacks, and exploiting a remote code execution\nvulnerability (CVE-2016-7836, patched last March 2017) in SKYSEA\nClient View, an IT asset management software widely used in Japan.\nJun 2018\nTick Group Weaponized Secure USB Drives to Target Air-Gapped\nCritical Systems\n2019 Operation “ENDTRADE”\nBy the first half of 2019, we found that the group was able to zero in\non specific industries in Japan from which it could steal proprietary\ninformation and classified data. We named this campaign “Operation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=334d9e0e-dab2-4bc5-8db2-5ab016f36947\nPage 2 of 3\n\nENDTRADE,” based on its targets.\nJun 2019\nBreach of Mitsubishi Electric\nFeb 2021\nExchange servers under siege from at least 10 APT groups\nMar 2021\nThe slow Tick‑ing time bomb: Tick APT group compromise of a DLP\nsoftware developer in East Asia\nCounter operations Apr 2021\nTokyo police referred a Chinese man, who is a member of the Chinese\nCommunist Party, to prosecutors Tuesday over his alleged involvement\nin the cyberattacks, they said.\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=334d9e0e-dab2-4bc5-8db2-5ab016f36947\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=334d9e0e-dab2-4bc5-8db2-5ab016f36947\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=334d9e0e-dab2-4bc5-8db2-5ab016f36947"
	],
	"report_names": [
		"showcard.cgi?u=334d9e0e-dab2-4bc5-8db2-5ab016f36947"
	],
	"threat_actors": [
		{
			"id": "bbefc37d-475c-4d4d-b80b-7a55f896de82",
			"created_at": "2022-10-25T15:50:23.571783Z",
			"updated_at": "2026-04-10T02:00:05.302196Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"BRONZE BUTLER",
				"REDBALDKNIGHT"
			],
			"source_name": "MITRE:BRONZE BUTLER",
			"tools": [
				"Mimikatz",
				"build_downer",
				"cmd",
				"ABK",
				"at",
				"BBK",
				"schtasks",
				"down_new",
				"Daserf",
				"ShadowPad",
				"Windows Credential Editor",
				"gsecdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434497,
	"ts_updated_at": 1775792173,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfd169da180b1bc33b4c59da11011f3285bda453.pdf",
		"text": "https://archive.orkl.eu/bfd169da180b1bc33b4c59da11011f3285bda453.txt",
		"img": "https://archive.orkl.eu/bfd169da180b1bc33b4c59da11011f3285bda453.jpg"
	}
}