{ "id": "092de927-eb69-480c-ab47-9f5b1026fa64", "created_at": "2026-04-06T00:21:21.557998Z", "updated_at": "2026-04-10T13:11:34.532456Z", "deleted_at": null, "sha1_hash": "e45797151ae075e64d8e4d8ddcfd2b379c86d7a6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53668, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:25:25 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Hupigon\r\n Tool: Hupigon\r\nNames\r\nHupigon\r\nHupigon RAT\r\nBKDR_HUPIGON\r\nMFC Huner\r\nCategory Malware\r\nType 0-day, Backdoor, Rootkit, Keylogger, Credential stealer, Info stealer\r\nDescription\r\n(F-Secure) Hupigon variants have several different types of features. The following list is an\r\nexample of some:\r\n• It allows others to access the computer\r\n• Allows for recording with the user's webcam\r\n• Can make the user's computer to attack various servers\r\n• Send victim's computer messages\r\n• Has rootkit functionality so it has a stealth component that hides files\r\n• Create logs from keystrokes, steals passwords, and sends this information to remote servers\r\nInformation\r\n\u003chttps://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\u003e\r\n\u003chttps://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html\u003e\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities\u003e\r\n\u003chttps://en.wikipedia.org/wiki/Hupigon\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.hupigon\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Hupigon\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=52ea511b-5508-4655-a547-d2e1a96e972d\r\nPage 1 of 2\n\nAPT groups\r\n  APT 3, Gothic Panda, Buckeye 2007-Nov 2017\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=52ea511b-5508-4655-a547-d2e1a96e972d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=52ea511b-5508-4655-a547-d2e1a96e972d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=52ea511b-5508-4655-a547-d2e1a96e972d" ], "report_names": [ "listgroups.cgi?u=52ea511b-5508-4655-a547-d2e1a96e972d" ], "threat_actors": [ { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434881, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e45797151ae075e64d8e4d8ddcfd2b379c86d7a6.pdf", "text": "https://archive.orkl.eu/e45797151ae075e64d8e4d8ddcfd2b379c86d7a6.txt", "img": "https://archive.orkl.eu/e45797151ae075e64d8e4d8ddcfd2b379c86d7a6.jpg" } }