{
	"id": "324e3f2a-6cdb-43df-87f0-b5b33577ccfc",
	"created_at": "2026-04-06T00:13:14.534103Z",
	"updated_at": "2026-04-10T13:12:09.448536Z",
	"deleted_at": null,
	"sha1_hash": "cb9d1e05df8384a598c0d3afc2570afcab7d21f6",
	"title": "Operation SalmonSlalom - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51927,
	"plain_text": "Operation SalmonSlalom - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 16:18:44 UTC\nHome \u003e List all groups \u003e Operation SalmonSlalom\n APT group: Operation SalmonSlalom\nNames Operation SalmonSlalom (Kaspersky)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2025\nDescription\n(Kaspersky) A Kaspersky ICS CERT investigation uncovered a cyberthreat specifically\ntargeting various industrial organizations in the Asia-Pacific region. The threat was\norchestrated by attackers using legitimate Chinese cloud content delivery network (CDN)\nmyqcloud and the Youdao Cloud Notes service as part of their attack infrastructure. The\nattackers employed a sophisticated multi-stage payload delivery framework to ensure evasion\nof detection. Their techniques included the use of a native file hosting CDN, publicly available\npackers for sample encryption, dynamic changes in command and control (C2) addresses, a\nCDN hosting the payload, and the use of DLL sideloading.\nObserved\nSectors: Construction, Financial, Government, Healthcare, IT, Manufacturing,\nTelecommunications.\nCountries: China, Hong Kong, Japan, Malaysia, Philippines, Singapore, South Korea, Taiwan,\nThailand, Vietnam.\nTools used FatalRAT.\nInformation\nLast change to this card: 02 March 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=98b23cd0-b341-47a8-85cb-5aeb9df8b974\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=98b23cd0-b341-47a8-85cb-5aeb9df8b974\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=98b23cd0-b341-47a8-85cb-5aeb9df8b974"
	],
	"report_names": [
		"showcard.cgi?u=98b23cd0-b341-47a8-85cb-5aeb9df8b974"
	],
	"threat_actors": [
		{
			"id": "55cc5d0d-d268-4f9d-8241-db957c3e02f3",
			"created_at": "2025-03-03T02:02:00.502379Z",
			"updated_at": "2026-04-10T02:00:04.83508Z",
			"deleted_at": null,
			"main_name": "Operation SalmonSlalom",
			"aliases": [],
			"source_name": "ETDA:Operation SalmonSlalom",
			"tools": [
				"FatalRAT",
				"Sainbox RAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434394,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb9d1e05df8384a598c0d3afc2570afcab7d21f6.pdf",
		"text": "https://archive.orkl.eu/cb9d1e05df8384a598c0d3afc2570afcab7d21f6.txt",
		"img": "https://archive.orkl.eu/cb9d1e05df8384a598c0d3afc2570afcab7d21f6.jpg"
	}
}