{ "id": "3dde71c6-40cd-40bf-b511-aaa73d695a0a", "created_at": "2026-04-06T00:20:19.164688Z", "updated_at": "2026-04-10T13:12:28.870068Z", "deleted_at": null, "sha1_hash": "c66742d42c0409de5c22a04a0c6102f259ffb5a4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55218, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:55:18 UTC\r\n APT group: LightBasin\r\nNames\r\nLightBasin (CrowdStrike)\r\nUNC1945 (FireEye)\r\nTH-239 (Yoroi)\r\nDecisiveArchitect (CrowdStrike)\r\nLuminal Panda (CrowdStrike)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\n(CrowdStrike) CrowdStrike Services, CrowdStrike Intelligence and Falcon OverWatch™ have\r\ninvestigated multiple intrusions within the telecommunications sector from a sophisticated\r\nactor tracked as the LightBasin activity cluster, also publicly known as UNC1945. Active since\r\nat least 2016, LightBasin employs significant operational security (OPSEC) measures,\r\nprimarily establishing implants across Linux and Solaris servers, with a particular focus on\r\nspecific telecommunications systems,1 and only interacting with Windows systems as needed.\r\nLightBasin’s focus on Linux and Solaris systems is likely due to the combination of critical\r\ntelecommunications infrastructure running on those operating systems, in addition to the\r\ncomparatively lax security measures and monitoring solutions on Linux/Solaris systems that\r\nare typically in place on Windows operating systems within an organization.\r\nLightBasin managed to initially compromise one of the telecommunication companies in a\r\nrecent CrowdStrike Services investigation by leveraging external DNS (eDNS) servers —\r\nwhich are part of the General Packet Radio Service (GPRS) network and play a role in\r\nroaming between different mobile operators — to connect directly to and from other\r\ncompromised telecommunication companies’ GPRS networks via SSH and through previously\r\nestablished implants. CrowdStrike identified evidence of at least 13 telecommunication\r\ncompanies across the world compromised by LightBasin dating back to at least 2019.\r\nThere is some overlap with UNC2891.\r\nObserved Sectors: Financial, IT, Telecommunications.\r\nTools used CordScan, EVILSUN, FRP, Impacket, LEMONSTICK, LOGBLEACH, OKSOLO,\r\nOPENSHACKLE, ProxyChains, PupyRAT, SIGTRANslator, SLAPSTICK, SMBExec,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=19246de9-ed86-49fc-9153-49f0bbe20feb\r\nPage 1 of 2\n\nSTEELCORGI, Tiny SHell, Living off the Land.\nInformation\nLast change to this card: 26 December 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=19246de9-ed86-49fc-9153-49f0bbe20feb\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=19246de9-ed86-49fc-9153-49f0bbe20feb\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=19246de9-ed86-49fc-9153-49f0bbe20feb" ], "report_names": [ "showcard.cgi?u=19246de9-ed86-49fc-9153-49f0bbe20feb" ], "threat_actors": [ { "id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8", "created_at": "2022-10-25T16:07:24.364598Z", "updated_at": "2026-04-10T02:00:04.955871Z", "deleted_at": null, "main_name": "UNC2891", "aliases": [], "source_name": "ETDA:UNC2891", "tools": [ "BINBASH", "CAKETAP", "MIGLOGCLEANER", "SLAPSTICK", "STEELCORGI", "STEELHOUND", "SUN4ME", "Tiny SHell", "WINGCRACK", "WINGHOOK", "WIPERIGHT", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434819, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c66742d42c0409de5c22a04a0c6102f259ffb5a4.pdf", "text": "https://archive.orkl.eu/c66742d42c0409de5c22a04a0c6102f259ffb5a4.txt", "img": "https://archive.orkl.eu/c66742d42c0409de5c22a04a0c6102f259ffb5a4.jpg" } }