{ "id": "3b3831b0-8dfb-4a0b-97ce-26730bbe9dbd", "created_at": "2026-04-06T00:16:49.945781Z", "updated_at": "2026-04-10T03:25:41.284223Z", "deleted_at": null, "sha1_hash": "e216bed39c745f35658d4eb1624c7f1e4f574ef9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42616, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:05:30 UTC\r\n APT group: AeroBlade\r\nNames AeroBlade (BlackBerry)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2022\r\nDescription\r\n(BlackBerry) BlackBerry has uncovered a previously unknown threat actor targeting an\r\naerospace organization in the United States, with the apparent goal of conducting commercial\r\nand competitive cyber espionage. The BlackBerry Threat Research and Intelligence team is\r\ntracking this threat actor as AeroBlade. The actor used spear-phishing as a delivery\r\nmechanism: A weaponized document, sent as an email attachment, contains an embedded\r\nremote template injection technique and a malicious VBA macro code, to deliver the next\r\nstage to the final payload execution.\r\nEvidence suggests that the attacker’s network infrastructure and weaponization became\r\noperational around September 2022. BlackBerry assesses with medium to high confidence that\r\nthe offensive phase of the attack occurred in July 2023. The attacker improved its toolset\r\nduring that time, making it stealthier, while the network infrastructure remained the same.\r\nGiven the final payload functionality and the subject of the attack, BlackBerry assesses with\r\nmedium to high confidence that the goal of this attack was commercial cyber espionage.\r\nObserved\r\nSectors: Aerospace.\r\nCountries: USA.\r\nTools used\r\nInformation\r\n\u003chttps://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry\u003e\r\nLast change to this card: 16 January 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2c1a4c44-04ee-4b60-ba62-cfd0083550bc\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2c1a4c44-04ee-4b60-ba62-cfd0083550bc\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2c1a4c44-04ee-4b60-ba62-cfd0083550bc" ], "report_names": [ "showcard.cgi?u=2c1a4c44-04ee-4b60-ba62-cfd0083550bc" ], "threat_actors": [ { "id": "b2d90939-4491-40e6-9ba1-7f97f6908af9", "created_at": "2024-01-18T02:02:33.896267Z", "updated_at": "2026-04-10T02:00:04.525Z", "deleted_at": null, "main_name": "AeroBlade", "aliases": [], "source_name": "ETDA:AeroBlade", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e7501832-edc8-4dff-a979-17cdc3091f82", "created_at": "2023-12-08T02:00:05.738096Z", "updated_at": "2026-04-10T02:00:03.491058Z", "deleted_at": null, "main_name": "AeroBlade", "aliases": [], "source_name": "MISPGALAXY:AeroBlade", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434609, "ts_updated_at": 1775791541, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e216bed39c745f35658d4eb1624c7f1e4f574ef9.pdf", "text": "https://archive.orkl.eu/e216bed39c745f35658d4eb1624c7f1e4f574ef9.txt", "img": "https://archive.orkl.eu/e216bed39c745f35658d4eb1624c7f1e4f574ef9.jpg" } }