{ "id": "f63650ae-7c3c-4483-98e7-ccbaf3aee3d5", "created_at": "2026-04-06T00:13:03.483047Z", "updated_at": "2026-04-10T03:25:12.671382Z", "deleted_at": null, "sha1_hash": "d54a9358f5255e469387bd368690ab5f3c483cdd", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46884, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:17:51 UTC\n APT group: Honeybee\nNames\nHoneybee (McAfee)\nG0072 (MITRE)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2017\nDescription\n(McAfee) McAfee Advanced Threat Research analysts have discovered a new operation\ntargeting humanitarian aid organizations and using North Korean political topics as bait\nto lure victims into opening malicious Microsoft Word documents. Our analysts have\nnamed this Operation Honeybee, based on the names of the malicious documents used\nin the attacks.\nAdvanced Threat Research analysts have also discovered malicious documents authored\nby the same actor that indicate a tactical shift. These documents do not contain the\ntypical lures by this actor, instead using Word compatibility messages to entice victims\ninto opening them.\nThe Advanced Threat Research team also observed a heavy concentration of the implant\nin Vietnam from January 15–17.\nObserved\nSectors: Those involved in humanitarian aid and inter-Korean affairs.\nCountries: Argentina, Canada, Indonesia, Japan, Singapore, South Korea, Vietnam.\nTools used Syscon, Living off the Land.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=84c2b582-22dd-4dd0-b690-a7b4ff3477ee\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=84c2b582-22dd-4dd0-b690-a7b4ff3477ee\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=84c2b582-22dd-4dd0-b690-a7b4ff3477ee\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=84c2b582-22dd-4dd0-b690-a7b4ff3477ee" ], "report_names": [ "showcard.cgi?u=84c2b582-22dd-4dd0-b690-a7b4ff3477ee" ], "threat_actors": [ { "id": "4025d5c4-53e5-4f0c-80de-80ac6e17c25a", "created_at": "2022-10-25T16:07:23.710983Z", "updated_at": "2026-04-10T02:00:04.721992Z", "deleted_at": null, "main_name": "Honeybee", "aliases": [ "G0072" ], "source_name": "ETDA:Honeybee", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "SYSCON", "Sanny", "Syscon" ], "source_id": "ETDA", "reports": null }, { "id": "e3dd6bd6-ec4e-48c4-bcdf-42cd1d68a6fe", "created_at": "2023-01-06T13:46:38.983963Z", "updated_at": "2026-04-10T02:00:03.171396Z", "deleted_at": null, "main_name": "Honeybee", "aliases": [ "G0072" ], "source_name": "MISPGALAXY:Honeybee", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e204dce-1974-4051-85dc-849fcd5c1226", "created_at": "2022-10-25T15:50:23.772479Z", "updated_at": "2026-04-10T02:00:05.288825Z", "deleted_at": null, "main_name": "Honeybee", "aliases": [ "Honeybee" ], "source_name": "MITRE:Honeybee", "tools": [ "Tasklist", "cmd", "Systeminfo" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434383, "ts_updated_at": 1775791512, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d54a9358f5255e469387bd368690ab5f3c483cdd.pdf", "text": "https://archive.orkl.eu/d54a9358f5255e469387bd368690ab5f3c483cdd.txt", "img": "https://archive.orkl.eu/d54a9358f5255e469387bd368690ab5f3c483cdd.jpg" } }