{ "id": "e2f7e580-2bc5-48f8-bb15-25fb7d239b90", "created_at": "2026-04-06T00:10:28.037405Z", "updated_at": "2026-04-10T03:36:21.956814Z", "deleted_at": null, "sha1_hash": "d6ac6721eb5ea4b1148b0063f9dc589946883bad", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46587, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:46:31 UTC\n Other threat group: Bismuth\nNames\nBismuth (Microsoft)\nCanvas Cyclone (Microsoft)\nCountry Vietnam\nMotivation Information theft and espionage, Financial gain\nFirst seen 2012\nDescription\n(Microsoft) BISMUTH, which shares similarities with APT 32, OceanLotus, SeaLotus, has\nbeen running increasingly complex cyberespionage attacks as early as 2012, using both custom\nand open-source tooling to target large multinational corporations, governments, financial\nservices, educational institutions, and human and civil rights organizations. But in campaigns\nfrom July to August 2020, the group deployed Monero coin miners in attacks that targeted\nboth the private sector and government institutions in France and Vietnam.\nBecause BISMUTH’s attacks involved techniques that ranged from typical to more advanced,\ndevices with common threat activities like phishing and coin mining should be elevated and\ninspected for advanced threats. More importantly, organizations should prioritize reducing\nattack surface and hardening networks against the full range of attacks. In this blog, we’ll\nprovide in-depth technical details about the BISMUTH attacks in July and August 2020 and\nmitigation recommendations for building organizational resilience.\nObserved\nSectors: Education, Financial, Government.\nCountries: France, Vietnam.\nTools used\nInformation\nLast change to this card: 26 April 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9adbce9a-231f-4bd0-a104-03324899afa8\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9adbce9a-231f-4bd0-a104-03324899afa8\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9adbce9a-231f-4bd0-a104-03324899afa8" ], "report_names": [ "showcard.cgi?u=9adbce9a-231f-4bd0-a104-03324899afa8" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f86085e-95c5-4007-8bd7-86ad330ce4eb", "created_at": "2022-10-25T16:07:24.457008Z", "updated_at": "2026-04-10T02:00:04.998531Z", "deleted_at": null, "main_name": "Bismuth", "aliases": [ "Canvas Cyclone" ], "source_name": "ETDA:Bismuth", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434228, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6ac6721eb5ea4b1148b0063f9dc589946883bad.pdf", "text": "https://archive.orkl.eu/d6ac6721eb5ea4b1148b0063f9dc589946883bad.txt", "img": "https://archive.orkl.eu/d6ac6721eb5ea4b1148b0063f9dc589946883bad.jpg" } }