{
	"id": "ee284b35-6ed0-4521-8d09-d98f0867448c",
	"created_at": "2026-04-06T00:12:06.360276Z",
	"updated_at": "2026-04-10T03:32:39.867412Z",
	"deleted_at": null,
	"sha1_hash": "e4ab33e5fae454f2438f40a83fc93ed7c3de04ad",
	"title": "Temper Panda, admin@338 - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56153,
	"plain_text": "Temper Panda, admin@338 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 13:39:38 UTC\r\nHome \u003e List all groups \u003e Temper Panda, admin@338\r\n APT group: Temper Panda, admin@338\r\nNames\r\nTemper Panda (Crowdstrike)\r\nadmin@338 (FireEye)\r\nTeam338 (Kaspersky)\r\nMagnesium (Microsoft)\r\nG0018 (MITRE)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2014\r\nDescription\r\n(FireEye) The threat group has previously used newsworthy events as lures to deliver\r\nmalware. They have largely targeted organizations involved in financial, economic and\r\ntrade policy, typically using publicly available RATs such as Poison Ivy, as well some\r\nnon-public backdoors.\r\nThe group started targeting Hong Kong media companies, probably in response to\r\npolitical and economic challenges in Hong Kong and China. The threat group’s latest\r\nactivity coincided with the announcement of criminal charges against democracy\r\nactivists. During the past 12 months, Chinese authorities have faced several challenges,\r\nincluding large-scale protests in Hong Kong in late 2014, the precipitous decline in the\r\nstock market in mid-2015, and the massive industrial explosion in Tianjin in August\r\n2015. In Hong Kong, the pro-democracy movement persists, and the government\r\nrecently denied a professor a post because of his links to a pro-democracy leader.\r\nObserved\r\nSectors: Defense, Financial, Government, Media, Think Tanks.\r\nCountries: Hong Kong, USA.\r\nTools used Bozok, BUBBLEWRAP, LOWBALL, Poison Ivy, Living off the Land.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d54adbf5-1684-4824-8416-045b3265eb3d\r\nPage 1 of 2\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d54adbf5-1684-4824-8416-045b3265eb3d\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d54adbf5-1684-4824-8416-045b3265eb3d\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d54adbf5-1684-4824-8416-045b3265eb3d"
	],
	"report_names": [
		"showcard.cgi?u=d54adbf5-1684-4824-8416-045b3265eb3d"
	],
	"threat_actors": [
		{
			"id": "9d6f666e-3a9d-4a09-bcac-8aee96572827",
			"created_at": "2022-10-25T15:50:23.2832Z",
			"updated_at": "2026-04-10T02:00:05.268714Z",
			"deleted_at": null,
			"main_name": "admin@338",
			"aliases": [
				"admin@338"
			],
			"source_name": "MITRE:admin@338",
			"tools": [
				"BUBBLEWRAP",
				"LOWBALL",
				"Systeminfo",
				"PoisonIvy",
				"netstat",
				"ipconfig"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1f29d13d-268d-4c26-ac4a-1ce8cebdbd3a",
			"created_at": "2023-01-06T13:46:38.351187Z",
			"updated_at": "2026-04-10T02:00:02.938577Z",
			"deleted_at": null,
			"main_name": "TEMPER PANDA",
			"aliases": [
				"Admin338",
				"Team338",
				"admin@338",
				"G0018"
			],
			"source_name": "MISPGALAXY:TEMPER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c23ca3e9-6b58-4f24-b4eb-ce3b24815ac4",
			"created_at": "2022-10-25T16:07:24.313367Z",
			"updated_at": "2026-04-10T02:00:04.932247Z",
			"deleted_at": null,
			"main_name": "Temper Panda",
			"aliases": [
				"G0018",
				"Team338",
				"Temper Panda",
				"admin@338"
			],
			"source_name": "ETDA:Temper Panda",
			"tools": [
				"BUBBLEWRAP",
				"Backdoor.APT.FakeWinHTTPHelper",
				"Bozok",
				"Bozok RAT",
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"LOLBAS",
				"LOLBins",
				"LOWBALL",
				"Living off the Land",
				"Poison Ivy",
				"SPIVY",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434326,
	"ts_updated_at": 1775791959,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4ab33e5fae454f2438f40a83fc93ed7c3de04ad.pdf",
		"text": "https://archive.orkl.eu/e4ab33e5fae454f2438f40a83fc93ed7c3de04ad.txt",
		"img": "https://archive.orkl.eu/e4ab33e5fae454f2438f40a83fc93ed7c3de04ad.jpg"
	}
}