{ "id": "9355de9f-2f08-4122-9a80-c5d3795aa401", "created_at": "2026-04-06T00:06:27.380949Z", "updated_at": "2026-04-10T03:36:07.162851Z", "deleted_at": null, "sha1_hash": "d89cee28bd0638967ab3ec938b64b82ab33f0428", "title": "Attack Campaign on the Government of Thailand Delivers Bookworm Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2474359, "plain_text": "Attack Campaign on the Government of Thailand Delivers\r\nBookworm Trojan\r\nBy Robert Falcone, Mike Scott, Juan Cortes\r\nPublished: 2015-11-24 · Archived: 2026-04-05 15:54:18 UTC\r\nUnit 42 recently published a blog on a newly identified Trojan called Bookworm, which discussed the architecture\r\nand capabilities of the malware and alluded to Thailand being the focus of the threat actors’ campaigns.\r\nIn this blog, we will discuss the current attack campaign along with the associated threat infrastructure and the\r\nactor’s tactics, techniques and procedures (TTPs). The following list provides a summary of the threat actors\r\nTTPs, which we will cover in this blog:\r\nActively attacking targets in Thailand, specifically government entities.\r\nUses Bookworm Trojan as the payload in attacks.\r\nHas access to compromised servers that they use to download Bookworm.\r\nKnown to use spear-phishing as the attack vector to compromise targets, but have access to compromised\r\nweb servers that could facilitate strategic web compromise (SWC) as an attack vector in the future.\r\nUses standalone Flash Player to play slideshows that contain pictures of current events in Thailand as\r\ndecoy documents, but also use the legitimate Flash Player installation application as a decoy in some\r\ninstances.\r\nUses date codes to track campaigns or Trojan version. If date codes are indeed used for campaign\r\nidentifiers, then the dates precede attacks or current event seen in decoys by 6 to 18 days, which provides a\r\nglimpse into the development and operational tempo of this group.\r\nUse of large command and control (C2) infrastructure, which heavily favors dynamic DNS domains for C2\r\nservers.\r\nDeployed Poison Ivy, PlugX, FFRAT and Scieron malware families.\r\nBookworm Attack Campaign\r\nThreat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested\r\nin this campaign should start with our first blog that lays out the overall functionality of the malware and\r\nintroduces its many components.\r\nUnit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of\r\nattempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering\r\nBookworm were also targeting organizations in Thailand based on the contents of the associated decoys\r\ndocuments, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words\r\n“Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also\r\nconfirms our speculation on targeting with a majority of systems existing within Thailand.\r\nStatic Date Codes and Decoys\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 1 of 14\n\nAs mentioned in our previous blog on Bookworm, the Trojan sends a static date string to the C2 server that we\r\nreferred to as a campaign code. We believed that the actors would use this date code to track their attack\r\ncampaigns; however, after continued analysis of the malware, we think these static dates could also be a build\r\nidentifier for the Trojan. It is difficult to determine the exact purpose of these static date codes with our current\r\ndata set, but we will cover both possibilities in the next sections. While we currently favor the theory that these\r\ndates act as campaign codes, we extracted the following unique date codes from all known Bookworm that\r\nsuggests the threat actors began their campaign in June or July 2015:\r\n20150626\r\n20150716\r\n20150801\r\n20150818\r\n20150905\r\n20150920\r\nTrojan Build Dates\r\nThreat actors may use the date string hardcoded into each Bookworm sample as a build identifier. A Trojan\r\nsending a build identifier to its C2 server is quite common, as it notifies the threat actors of the specific version of\r\nthe Trojan in which they are interacting. As mentioned in our previous blog, Bookworm is fairly complex based\r\non its modular framework, which suggests that the threat actors would need to know the exact version of the\r\nTrojan they are communicating with in order to install appropriate supplemental modules.\r\nWhile a plausible premise, our data set does not fully support the hardcoded dates in Bookworm samples as a\r\nbuild identifier. To attempt to confirm the dates acting as a build ID, we extracted all of the modules for each\r\nBookworm sample. We then compared the modules of each Bookworm sample that had the same date values.\r\nMost of the modules were identical amongst Bookworm samples using the same date string, but several samples\r\nhad differing modules yet the same date string. For instance, Table 1 shows two sets of Bookworm samples with\r\nthe “20150716” and “20150818” date codes that have completely different Leader.dll modules.\r\nDate Code Leader.dll Module Compile Date\r\n20150716 e602a12e8173ca17ba4a0c6c12a094c1 2015-07-18\r\n20150716 4537257cb69a467a63c5a561825571f9 2015-07-23\r\n20150818 e6cb32805bc5d758a5ea1dcd3c05beb8 2015-08-24\r\n20150818 7065c709dd9dc7072dd5a5e2904c2d78 2015-08-31\r\nTable 1 Two sets of Bookworm samples that share a sttic date cod but have different Leader modules\r\nIf the Bookworm developers used the date code as a build identifier, it would suggest that a new date code would\r\nhave been added to samples using the new Leader module. Due to these changes without a new date string, we\r\nbelieve the date codes are used for campaign tracking rather than a Bookworm build identifier. Unit 42 will\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 2 of 14\n\ncontinue to compare the date codes to the Bookworm modules in future samples and will modify our assessment if\r\nindications suggest the date string is indeed a build identifier.\r\nCampaign Codes\r\nWe believe that Bookworm samples use the static date string as campaign codes, which we used to determine the\r\napproximate date of each attack that we did not have detailed targeting information. We also compared these\r\ncampaign codes to the date the attacks occurred or the date of the event seen in decoy documents to get a sense of\r\nthe threat group’s internal operations.\r\nA number of the Bookworm samples include a decoy that is opened during installation of the malware in an\r\nattempt to disguise the compromise. The threat actors have used two types of decoys thus far: a legitimate Flash\r\nPlayer installation application and a standalone Flash application to display a photo slideshow. The use of a Flash\r\nPlayer installer, seen in Figure 1, suggests that the threat actors are using social engineering to instruct the victim\r\nto update or install the Flash Player application. The Bookworm campaign code “20150818” was used in all\r\nsamples associated with these legitimate Flash Player installers.\r\nFigure 1 Adobe Flash Player Installer used as a Decoy\r\nUnit 42 has witnessed six decoy slideshows used in a Bookworm campaign targeting Thailand. All six of these\r\ndecoy slideshows contain pictures that in some manner relate to Thailand. One known decoy includes an\r\nanimation of what appears to be children in Thailand going to temple (Figure 2), which is associated with a spear-phishing attack on a branch of the Thailand government that occurred on July 27, 2015. The decoy’s filename is\r\n“wankaophansa.exe” that suggests the animation is regarding Wan Kao Phansa, which is a term for first day of the\r\nthree month long rainy season. Wan Kao Phansa is a national holiday in Thailand, which in 2015 started on July\r\n31. The attack occurred four days before the actual holiday and had a campaign code of “20150716”, which is\r\neleven days before the attack took place.\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 3 of 14\n\nFigure 2 Decoy slideshow of children in Thailand celebrating Wan Kao Phansa or Buddhist Lent\r\nWe do not have detailed targeting information on the attacks that delivered the remaining five decoy slideshows.\r\nTo determine the approximate date of these attacks, we compared the Bookworm campaign code associated with\r\neach decoy slideshow and found that they coincide with the timeline of events seen in the photos in the decoy\r\nslideshows.\r\nThree of the decoys analyzed are related to the August 17, 2015 bombing near the Erawan Shrine in Bangkok,\r\nThailand, as seen in Figures 3, 4 and 5. The campaign code “20150801” is associated with the decoy slideshow\r\nshowing the graphic Erawan Shrine bombing (Figure 3), which is 16 days before to the actual event took place.\r\nFigure 3 Picture from Decoy Slideshow showing Erawan Shrine Bombing in Bangkok\r\n(http://metro.co.uk/2015/08/17/huge-explosion-in-central-bangkok-near-major-tourist-attraction-5347076/)\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 4 of 14\n\nThe second bombing-related decoy, seen in Figure 4 contained pictures of the arrest of a bombing suspect named\r\nAdem Karadag. This arrest was made on August 29, 2015, which is 11 days after the campaign code “20150818”\r\nthat was associated with the decoy slideshow.\r\nFigure 4 Picture from a Decoy Slideshow Showing the Arrest of a Bomber Related to the Erawan\r\nShrine Bombing in Bangkok, Thailand\r\nThe third and final bombing-related decoy slideshow contains pictures of Adem Karadag re-enacting his role in\r\nthe bombing for police (Figure 5). This re-enactment is a standard procedure for Thai police, which in this\r\nparticular case took place on September 26, 2015. The campaign code “20150920” is associated with this decoy,\r\nwhich is six days before the actual event took place.\r\nFigure 5 Picture from Decoy Slideshow of Erawan Shrine Bombing Suspect at the Crime Scene\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 5 of 14\n\nAnother decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike\r\nfor Dad 2015. Bike for Dad is a cycling event that will be held on December 11, 2015 to commemorate the King\r\nof Thailand Bhumibol Adulyadej’s 88th birthday. Many high profile figures in Thailand are promoting this event,\r\nsuch as the Prime Minister Prayut Chan-o-cha who is seen in many of images in the decoy slideshow (Figure 6).\r\nFigure 6 Decoy Slideshow with Pictures Regarding Bike for Dad 2015 (http://www.m-society.go.th/ewt_news.php?nid=15002)\r\nThe campaign code “20150920” is associated with this decoy, which is a week prior to media articles announcing\r\nthat the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event. At first, we believed\r\nthe use of the Bike for Dad 2015 event was unrelated to the previous Erawin Shine bombing decoys. According to\r\nthe same announcement article, the Crown Prince said that the bike route would pass the Ratchaprasong\r\nintersection, which is where the Erawin Shine bombing took place. Therefore, the threat actors using this within\r\ntheir social engineering attempts continues to follow the theme involving the bombing of the shrine in Bangkok,\r\nas it is undoubtedly still in the hearts and minds of the Thai people.\r\nThe final remaining known decoy includes photos of Chitpas Tant Kridakon (Figure 7), who is known as heiress\r\nto the largest brewery in Thailand. Chitpas is heavily involved with Thailand politics and was a core leader of the\r\nPeople’s Committee for Absolute Democracy (PCAD), which is an organization that staged anti-government\r\ncampaigns in 2013 and 2014. As recently as September 2015, Chitpas has been in the news for her attempts to\r\nbecome an officer in the Royal Thai Police force, which has caused protests due to her political stance. Two of the\r\nimages in the slideshow can be seen in an article that was published on September 20, 2015. These images were\r\nassociated with the Bookworm campaign code “20150905”.\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 6 of 14\n\nFigure 7 Picture of Chitpas Tant Kridakon included in a Decoy Slideshow\r\nBy comparing the campaign codes with the dates of known attacks or the date of the events shown in the decoys,\r\nwe found that the campaign codes precede the attack or event dates by 6 to 18 days. The campaign code date\r\npreceding the attack or associated events suggests that the threat actors perform development operations on their\r\ntools and then choose their decoy. These decoy documents also suggest that the threat actors actively track current\r\nnews events and use photographs from the media to create their decoy slideshows.\r\nCompromised Hosts\r\nUnit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP\r\naddresses existed within autonomous systems (ASN) located in Thailand. The pie chart in Figure 8 shows that the\r\nvast majority (73%) of the hosts are geographically located in Thailand, which matches the known targeting of\r\nthis threat group. We believe that the IP addresses from Canada, Russia and Norway are analysis systems of\r\nantivirus companies or security researchers. The IP addresses in South Korea prove interesting and could suggest\r\nthat this threat group has carried out an attack campaign on targets in locale as well. However, we’ve found no\r\nadditional evidence to corroborate this theory.\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 7 of 14\n\nFigure 8 The Unique IP Addresses Seen Communicating with Bookworm C2 Emphasizes Attacks\r\non Targets in Thailand\r\nWe took the IP addresses seen communicating with Bookworm C2 servers and obtained their geographic\r\ncoordinates using an IP geolocation database and plotted them on a map, as seen in Figure 9. A majority of the IP\r\naddresses in Thailand have coordinates in the Bangkok metropolitan area, with one in the southern town of Pattini\r\nand one in the Phanat Nikhom District of the Chonburi Province. IP geolocation systems are not perfectly\r\naccurate, but the data suggests that most of the compromised hosts exist near the largest city of Bangkok. This\r\ngrouping of compromised hosts also aligns with the known targeting, as Bangkok and Nonthaburi is where a\r\nmajority of the government of Thailand exists.\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 8 of 14\n\nFigure 9 Map Showing GeoIP Locations of Compromised Hosts Grouped in the Bangkok\r\nMetropolitan Area\r\nBookworm’s Threat Infrastructure\r\nBookworm-related infrastructure created by threat actors mainly involves the use of dynamic domains, however,\r\nan early sample used a fully qualified domain name (FQDN) owned by the actor. The actors also appear to have\r\naccess to legitimate servers that they use to host Bookworm and other related tools for attacks. Overall, the\r\nBookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools,\r\nincluding FFRAT, Poison Ivy, PlugX, and others.\r\nCompromised Web Servers\r\nUnit 42 has seen threat actors hosting Bookworm and other related tools on legitimate websites, which suggests\r\nthe actors have unauthorized access to these servers. We have witnessed Bookworm samples hosted on a website\r\nbelonging to the following organizations:\r\nTwo branches of government in Thailand\r\nThai Military\r\nA Taiwanese Labor Association\r\nThree of the four compromised webservers have been breached in the past with each being listed on Zone-h as\r\nbeing defaced, while the remaining site was defaced by the TURKHACKTEAM, according to a Google cache\r\nfrom November 11, 2015. The specific details of how the actors gained access to these sites is unclear, however,\r\none site has a publicly accessible form that would allow visitors to upload files to the webserver (Figure 8). Unit\r\n42 believes that threat actors could have uploaded Bookworm to this server using this form. It is also possible that\r\nthe threat actors uploaded an ASP shell to gain further control over this webserver. We also speculate that these\r\nthreat actors may use strategic web compromises (SWC) as an attack vector in future campaigns using their\r\nunauthorized access to webservers.\r\nFigure 10 Publicly Accessible Form to Upload Files to Server Seen Hosting Bookworm Trojan\r\nThe site hosting this file upload form belongs to one of the organizations targeted with Bookworm. This may\r\nsuggest that the threat actors used this webserver to pivot from the webserver into the internal network.\r\nInfrastructure Overlap and Related Tools\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 9 of 14\n\nThe domains hosting Bookworm C2 servers (see Indicators of Compromise section of our Bookworm blog)\r\nconnect to a larger infrastructure that the threat actors are using to host C2 servers for other tools in their toolset.\r\nSo far, Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT, PlugX,\r\nPoison Ivy and Scieron Trojans, suggesting that the threat actors use these tools as the payload in their attacks.\r\nUnit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected\r\nentities to its current attack campaign. The infrastructure is fairly complex and has many overlaps with other\r\ntoolsets. Figure 11 below shows a fraction of the threat infrastructure that visualizes a connection between\r\nBookworm, FFRAT, PlugX and Poison Ivy.\r\nFigure 11 Infrastructure Overlaps connecting Bookworm to samples of the PlugX, Poison Ivy and\r\nFFRAT Trojans\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 10 of 14\n\nThe overlap between Bookworm, PlugX and Poison Ivy samples involves the use of the Smart Installer Maker,\r\nwhich is a common technique used by this threat group. In one particular case, a sample of the Smart Installer\r\nMaker (MD5: 6741ad202dcef693dceb98b0a10c49fc) installed both a PlugX and Poison Ivy Trojan that\r\ncommunicated with domains that resolved to an IP address (119.205.158.70) that also resolved a Bookworm C2\r\ndomain (sswmail.gotdns[.]com). This IP address was also used to resolve a domain (qemail.gotdns[.]com) that\r\nactors used to host a C2 server for another Trojan known as FFRAT. We observed another direct overlap in a C2\r\ndomain (ubuntudns.sytes[.]net) used for both Bookworm and FFRAT.\r\nAs previously mentioned, the infrastructure related to Bookworm is fairly complex with many connections to\r\ndomains hosting C2 servers for other tools. The related infrastructure and associated malware can be seen in the\r\ntable below.\r\nDomain Malware Family/Cluster\r\nweb12.nhknews[.]hk Bookworm\r\nsysteminfothai.gotdns[.]ch Bookworm\r\nbkmail.blogdns[.]com Bookworm\r\nthailandbbs.ddns[.]net Bookworm\r\nblog.nhknews[.]hk Bookworm\r\nnews.nhknews[.]hk Bookworm\r\nsysnc.sytes[.]net Bookworm\r\ndebain.servehttp[.]com Bookworm\r\nsswmail.gotdns[.]com Bookworm\r\nsswwmail.gotdns[.]com Bookworm\r\nubuntudns.sytes[.]net Bookworm, FFRAT\r\nlinuxdns.sytes[.]net Bookworm, FFRAT\r\nwww.chinabztech[.]com FFRAT\r\nwww.tibetonline[.]info FFRAT\r\n3h01.dwy[.]cc FFRAT\r\nwww.vxea[.]com FFRAT\r\nbdimg.s.dwy[.]cc FFRAT\r\nnine.alltosec[.]com FFRAT\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 11 of 14\n\nwww.rooter[.]tk FFRAT\r\nwucy08.eicp[.]net FFRAT\r\nwelcome.dnsd[.]info FFRAT\r\nwww.ifilmone[.]com FFRAT\r\npcal2.dwy[.]cc FFRAT\r\nluotuozhizhu.blog.163[.]com FFRAT\r\noffice.alltosec[.]com FFRAT\r\nftpseck.ftp21[.]net FFRAT\r\nwuzhiting.3322[.]org FFRAT\r\nqemail.gotdns[.]com FFRAT\r\ngoogleupdating[.]com FFRAT\r\nwelcometohome.strangled[.]net FFRAT\r\nzz.alltosec[.]com FFRAT\r\nback.rooter[.]tk FFRAT\r\nproducts.alltosec[.]com FFRAT\r\nwindowsupdating[.]net FFRAT\r\napp.rooter[.]tk FFRAT\r\nhkemail.f3322[.]org FFRAT\r\npcal2.yahoolive[.]us FFRAT\r\nhappy.tftpd[.]net PlugX\r\nweather.webhop[.]me PlugX\r\nns1.vancouversun[.]us PlugX\r\nn5579a.voanews[.]hk PlugX\r\nhope.jumpingcrab[.]com PlugX\r\nnews.nowpublic[.]us PlugX\r\nweb.vancouversun[.]us PlugX\r\nnews.voanews[.]hk PlugX\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 12 of 14\n\nbugatti.from-wa[.]com PlugX\r\nweb.voanews[.]hk PlugX\r\nns3.yomiuri[.]us PlugX\r\ntree.crabdance[.]com PlugX\r\nsupercat.strangled[.]net PlugX\r\nwebupdate.strangled[.]net PlugX\r\nbreaknews.mefound[.]com PlugX\r\nsucc.gotdns[.]com Poison Ivy, PlugX\r\nimail.gotdns[.]com Poison Ivy, PlugX\r\nwmail.gotdns[.]com Poison Ivy, PlugX\r\nxxcase.gotdns[.]com Poison Ivy\r\nromadc.homelinux[.]com Poison Ivy\r\n3389temp.dyndns[.]org Poison Ivy\r\nahcase.gotdns[.]com Poison Ivy\r\nkcase.gotdns[.]com Poison Ivy\r\n3389pi.servegame[.]org Poison Ivy\r\nflashcard.gotdns[.]com Poison Ivy\r\nkr-update.homelinux[.]com Poison Ivy\r\n3389.homeunix[.]org Poison Ivy\r\nflashgame.gotdns[.]com Poison Ivy\r\nanhei.gotdns[.]com Poison Ivy\r\nxcase.gotdns[.]com Poison Ivy\r\neducation.suroot[.]com Scieron\r\nserver.organiccrap[.]com Scieron\r\npricetag.deaftone[.]com Scieron\r\napple.dynamic-dns[.]net Scieron\r\nwilliamsblog.dtdns[.]net Scieron\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 13 of 14\n\nwill-smith.dtdns[.]net Scieron\r\ndurant.dumb1[.]com Scieron\r\nTable 2 Threat Infrastructure Related to Bookworm\r\nWe made connections between domains seen in Table 2 through shared stolen code signing certificates, other PE\r\nbuild commonalities, passive DNS data and direct C2 domain overlap. The domains connected using passive DNS\r\nall share common IP addresses used to resolve the domain. The following IP addresses provided many of the\r\nconnection points within the infrastructure via passive DNS overlap:\r\n103.226.127.47\r\n104.156.239.105\r\n112.167.143.179\r\n115.144.107.22\r\n115.144.107.46\r\n115.144.107.52\r\n115.144.107.53\r\n115.144.107.134\r\n115.144.166.209\r\n119.205.158.70\r\n43.248.8.249\r\nConclusion\r\nThreat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan\r\nsince July 2015. The actors appear to follow a set playbook, as the observed TTPs are fairly static within each\r\nattack in this campaign. The threat actors have continually used Flash Player installers and Flash slideshows for\r\ndecoys. The decoy slideshows all contain photos from very meaningful events to individuals in Thailand,\r\nsuggesting that the actors continually look for impactful events to use to disguise their attacks.\r\nThe vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan\r\narea where a majority of the government of Thailand exists. While the current campaign has targeted the Thai\r\ngovernment, Unit 42 believes the threat actors will target other governments to deliver Bookworm in future\r\ncampaigns.\r\nSource: https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nhttps://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/" ], "report_names": [ "attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7df4ddf9-511d-4913-8e51-7e7130639b45", "created_at": "2023-01-06T13:46:38.545041Z", "updated_at": "2026-04-10T02:00:03.018661Z", "deleted_at": null, "main_name": "TurkHackTeam", "aliases": [ "Turk Hack Team" ], "source_name": "MISPGALAXY:TurkHackTeam", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99", "created_at": "2022-10-25T16:07:23.414558Z", "updated_at": "2026-04-10T02:00:04.588816Z", "deleted_at": null, "main_name": "Bookworm", "aliases": [], "source_name": "ETDA:Bookworm", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Scieron", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433987, "ts_updated_at": 1775792167, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d89cee28bd0638967ab3ec938b64b82ab33f0428.pdf", "text": "https://archive.orkl.eu/d89cee28bd0638967ab3ec938b64b82ab33f0428.txt", "img": "https://archive.orkl.eu/d89cee28bd0638967ab3ec938b64b82ab33f0428.jpg" } }