{ "id": "1febb942-c869-452b-9b4f-a73bfb07cfd9", "created_at": "2026-04-06T00:12:25.067295Z", "updated_at": "2026-04-10T03:36:25.380088Z", "deleted_at": null, "sha1_hash": "c84cd639cb5262db6ce77c41b53b8b0ecff74617", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56771, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:39:43 UTC\r\n APT group: Chimera\r\nNames\r\nChimera (CyCraft)\r\nBronze Vapor (SecureWorks)\r\nRed Charon (PWC)\r\nTHORIUM (Microsoft)\r\nTumbleweed Typhoon (Microsoft)\r\nNuclear Taurus (Palo Alto)\r\nG0114 (MITRE)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(CyCraft) For nearly two years, our team monitored several attacks that targeted\r\nTaiwan’s semiconductor vendors. We believe these attacks originated from the same\r\nthreat actor – Chimera – as these attacks utilized similar tactics, techniques and even\r\nthe same customized malware. The actor likely harvested various valid credentials\r\nvia phishing emails or data breaches as their starting point to conduct their cyber\r\nattack on the vendors. Cobalt Strike was later used as their main RAT tool. To avoid\r\ndetection, the Cobalt Strike RAT was often masqueraded as a Google Chrome\r\nUpdate. The RAT would then connect back to their C2 server. As these servers were\r\nin a public cloud server, it made it difficult to track. Subsequently, by compromising\r\nthe AD server, the delicate malware – SkeletonKeyInjector – was invoked to implant\r\na general key to allow LM, persistence and defense evasion. Although this malware\r\nwas discovered for the first time, we have high confidence that these attacks were\r\nconducted by the same threat actor. Based on the stolen data, we infer that the actor’s\r\ngoal was to harvest company trade secrets. The motive may be related to business\r\ncompetition or a country’s industrial strategy.\r\nObserved\r\nSectors: Aviation, High-Tech.\r\nCountries: Netherlands, Taiwan and different geographical areas.\r\nTools used Cobalt Strike, SkeletonKeyInjector.\r\nOperations performed Late 2017 Hackers spent 2+ years looting secrets of chipmaker NXP before\r\nbeing detected\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1b8fc69c-574a-4c14-9603-0c3a0de08b6f\r\nPage 1 of 2\n\nLate 2018\nOperation “Skeleton Key”\nOct 2019\nNCC Group and Fox-IT have been tracking a threat group with a\nwide set of interests, from intellectual property (IP) from victims in\nthe semiconductors industry through to passenger data from the\nairline industry.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1b8fc69c-574a-4c14-9603-0c3a0de08b6f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1b8fc69c-574a-4c14-9603-0c3a0de08b6f\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1b8fc69c-574a-4c14-9603-0c3a0de08b6f" ], "report_names": [ "showcard.cgi?u=1b8fc69c-574a-4c14-9603-0c3a0de08b6f" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "81ea5ca6-9450-4188-95c6-58cea919f6b0", "created_at": "2023-01-06T13:46:39.419536Z", "updated_at": "2026-04-10T02:00:03.320575Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [], "source_name": "MISPGALAXY:BRONZE VAPOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434345, "ts_updated_at": 1775792185, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c84cd639cb5262db6ce77c41b53b8b0ecff74617.pdf", "text": "https://archive.orkl.eu/c84cd639cb5262db6ce77c41b53b8b0ecff74617.txt", "img": "https://archive.orkl.eu/c84cd639cb5262db6ce77c41b53b8b0ecff74617.jpg" } }