{
	"id": "e0586efd-58a3-4435-ae63-c41dc4bc284c",
	"created_at": "2026-04-06T00:20:01.642921Z",
	"updated_at": "2026-04-10T03:28:37.654584Z",
	"deleted_at": null,
	"sha1_hash": "df2efd20d6c91c0b978abdf570dfdd5389a76b20",
	"title": "Operation Poison Needles - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43704,
	"plain_text": "Operation Poison Needles - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:13:46 UTC\r\nHome \u003e List all groups \u003e Operation Poison Needles\r\n APT group: Operation Poison Needles\r\nNames Operation Poison Needles (Qihoo 360)\r\nCountry Ukraine\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(Qihoo 360) On the evening of November 29, 2018, shortly after the break-out of the Kerch\r\nStrait Incident, 360 Advanced Threat Response Team was the first security team to discover\r\nthe APT attack against the FSBI “Polyclinic No.2” affiliated to the Presidential Administration\r\nof Russia. The lure document used to initiate the attack was a carefully forged employee\r\nquestionnaire, which exploited the latest Flash 0day vulnerability CVE-2018-15982 and a\r\ncustomized Trojan with self-destruction function. All the technical details indicate that the\r\nAPT group is determined to compromise the target at any price, but at the same time, it is also\r\nvery cautious.\r\nObserved\r\nSectors: Healthcare.\r\nCountries: Russia.\r\nTools used 0-day Flash exploit.\r\nInformation \u003chttp://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e96f938a-3d98-4977-9767-5dd144595485\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e96f938a-3d98-4977-9767-5dd144595485\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e96f938a-3d98-4977-9767-5dd144595485"
	],
	"report_names": [
		"showcard.cgi?u=e96f938a-3d98-4977-9767-5dd144595485"
	],
	"threat_actors": [
		{
			"id": "a5988309-13cf-4401-b71c-065dee96c568",
			"created_at": "2022-10-25T16:07:23.986472Z",
			"updated_at": "2026-04-10T02:00:04.823637Z",
			"deleted_at": null,
			"main_name": "Operation Poison Needles",
			"aliases": [],
			"source_name": "ETDA:Operation Poison Needles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "36348f49-29a2-4402-82ea-d46a6fd53943",
			"created_at": "2023-01-06T13:46:38.848224Z",
			"updated_at": "2026-04-10T02:00:03.121018Z",
			"deleted_at": null,
			"main_name": "Operation Poison Needles",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation Poison Needles",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434801,
	"ts_updated_at": 1775791717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df2efd20d6c91c0b978abdf570dfdd5389a76b20.pdf",
		"text": "https://archive.orkl.eu/df2efd20d6c91c0b978abdf570dfdd5389a76b20.txt",
		"img": "https://archive.orkl.eu/df2efd20d6c91c0b978abdf570dfdd5389a76b20.jpg"
	}
}