{
	"id": "831282d7-df2d-44c2-b064-1fb47582a702",
	"created_at": "2026-04-06T00:19:51.22564Z",
	"updated_at": "2026-04-10T03:26:15.830441Z",
	"deleted_at": null,
	"sha1_hash": "dffc071567847818450fd0d218b5f96b8a41eed3",
	"title": "Operation TunnelSnake - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48393,
	"plain_text": "Operation TunnelSnake - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 15:01:17 UTC\nHome \u003e List all groups \u003e Operation TunnelSnake\n APT group: Operation TunnelSnake\nNames Operation TunnelSnake (Kaspersky)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Kaspersky) In this blog post we will focus on the following key findings that came up in our\ninvestigation:\n• A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy\npassive backdoors on public facing servers, facilitating the creation of a covert C\u0026C\ncommunication channel through which they can be silently controlled;\n• The rootkit was found on networks of regional diplomatic organizations in Asia and Africa,\ndetected on several instances dating back to October 2019 and May 2020, where the infection\npersisted in the targeted networks for several months after each deployment of the malware;\n• We observed an additional victim in South Asia, where the threat actor deployed a broad\ntoolset for lateral movement along with the rootkit, including a tool that was formerly used by\nAPT1. Based on the detection timestamps of that toolset, we assess that the attacker had a\nfoothold in the network from as early as 2018;\n• A couple of other tools that have significant code overlaps with Moriya were found as well.\nThese contain a user mode version of the malware and another driver-based utility used to\ndefeat AV software.\nObserved Countries: Asia and Africa.\nTools used Moriya.\nInformation Last change to this card: 27 June 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=841c5da3-a545-4f1b-b26b-098ede8fa700\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=841c5da3-a545-4f1b-b26b-098ede8fa700\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=841c5da3-a545-4f1b-b26b-098ede8fa700\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=841c5da3-a545-4f1b-b26b-098ede8fa700"
	],
	"report_names": [
		"showcard.cgi?u=841c5da3-a545-4f1b-b26b-098ede8fa700"
	],
	"threat_actors": [
		{
			"id": "7c390b96-8206-4194-81d8-ebbabb9910ff",
			"created_at": "2023-12-03T02:00:05.147496Z",
			"updated_at": "2026-04-10T02:00:03.486417Z",
			"deleted_at": null,
			"main_name": "TunnelSnake",
			"aliases": [],
			"source_name": "MISPGALAXY:TunnelSnake",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4b48e4b6-09b0-4f4d-a78c-6b455d122e67",
			"created_at": "2022-10-25T16:07:24.020115Z",
			"updated_at": "2026-04-10T02:00:04.84333Z",
			"deleted_at": null,
			"main_name": "Operation TunnelSnake",
			"aliases": [],
			"source_name": "ETDA:Operation TunnelSnake",
			"tools": [
				"Moriya"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434791,
	"ts_updated_at": 1775791575,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dffc071567847818450fd0d218b5f96b8a41eed3.pdf",
		"text": "https://archive.orkl.eu/dffc071567847818450fd0d218b5f96b8a41eed3.txt",
		"img": "https://archive.orkl.eu/dffc071567847818450fd0d218b5f96b8a41eed3.jpg"
	}
}