{ "id": "150e7164-49fc-4564-ad5d-e5973ee93daf", "created_at": "2026-04-06T00:12:27.453086Z", "updated_at": "2026-04-10T13:12:42.451129Z", "deleted_at": null, "sha1_hash": "e4856127e7c11ec8eade2221e8c6db306bc364ec", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51232, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:04:17 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool HemiGate\r\n Tool: HemiGate\r\nNames HemiGate\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Trend Micro) HemiGate is a backdoor used by Earth Estries. Like most of the tools used by\r\nthis threat actor, this backdoor is also executed via DLL sideloading using one of the loaders\r\nthat support interchangeable payloads. K7AVMScn.exe from K7 Computing is the sideloading\r\nhost utilized by this backdoor, while the loader poses as K7AVWScn.dll. The main backdoor is\r\nan encrypted file named taskhask.doc, and another encrypted file named taskhask.dat serves as\r\nthe configuration file.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\u003e\r\n\u003chttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.hemigate\u003e\r\nLast change to this tool card: 27 December 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool HemiGate\r\nChanged Name Country Observed\r\nAPT groups\r\n  Salt Typhoon, GhostEmperor 2020-Feb 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3a8b91fe-b0df-4e6c-a005-be144bbc6440\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3a8b91fe-b0df-4e6c-a005-be144bbc6440\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3a8b91fe-b0df-4e6c-a005-be144bbc6440\r\nPage 2 of 2\n\nAPT groups Salt Typhoon, GhostEmperor 2020-Feb 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3a8b91fe-b0df-4e6c-a005-be144bbc6440" ], "report_names": [ "listgroups.cgi?u=3a8b91fe-b0df-4e6c-a005-be144bbc6440" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434347, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4856127e7c11ec8eade2221e8c6db306bc364ec.pdf", "text": "https://archive.orkl.eu/e4856127e7c11ec8eade2221e8c6db306bc364ec.txt", "img": "https://archive.orkl.eu/e4856127e7c11ec8eade2221e8c6db306bc364ec.jpg" } }