{ "id": "2cfad6be-7af2-4e3b-896c-95c319b19b7d", "created_at": "2026-04-06T00:13:32.358923Z", "updated_at": "2026-04-10T03:35:53.453841Z", "deleted_at": null, "sha1_hash": "e6e4ab4b5d49d667a53ea8b74d3d92cf96b606ac", "title": "100 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55302, "plain_text": "100 - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:19:52 UTC\n APT group: TAG-100\nNames\nTAG-100 (Recorded Future)\nStorm-2077 (Microsoft)\nCountry China\nSponsor State-sponsored\nMotivation Information theft and espionage\nFirst seen 2024\nDescription\n(Recorded Future) Recorded Future’s Insikt Group identified new suspected cyber-espionage\nactivity targeting high-profile government, intergovernmental, and private sector organizations\nglobally. This activity, which we are tracking under the temporary group designator TAG100,\nhas employed open-source remote access capabilities and exploited a wide range of internet-facing appliances for initial access. Using Recorded Future® Network Intelligence data, Insikt\nGroup identified the likely compromise of the secretariats of two major Asia-Pacific\nintergovernmental organizations by TAG100 using the open-source, multi-platform Go\nbackdoor Pantegana. Other targeted organizations include multiple diplomatic entities and\nministries of foreign affairs, as well as industry trade associations and semiconductor supply-chain, non-profit, and religious organizations globally. At this time, Insikt Group is continuing\nto explore potential attribution for this activity; however, the specific targeting and\nvictimology identified align with a suspected espionage motive.\nObserved\nSectors: Embassies, Financial, Government, High-Tech.\nCountries: Bolivia, Cambodia, Cuba, Djibouti, Dominican Republic, Fiji, France, Indonesia,\nItaly, Japan, Malaysia, Netherlands, Taiwan, UK, USA, Vietnam.\nTools used Cobalt Strike, CrossC2, LESLIELOADER, Pantegana, SparkRAT.\nInformation\nLast change to this card: 26 December 2024\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b01702b6-b1dc-4292-8a10-dfb87acfcd59\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b01702b6-b1dc-4292-8a10-dfb87acfcd59\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b01702b6-b1dc-4292-8a10-dfb87acfcd59\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b01702b6-b1dc-4292-8a10-dfb87acfcd59" ], "report_names": [ "showcard.cgi?u=b01702b6-b1dc-4292-8a10-dfb87acfcd59" ], "threat_actors": [ { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434412, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6e4ab4b5d49d667a53ea8b74d3d92cf96b606ac.pdf", "text": "https://archive.orkl.eu/e6e4ab4b5d49d667a53ea8b74d3d92cf96b606ac.txt", "img": "https://archive.orkl.eu/e6e4ab4b5d49d667a53ea8b74d3d92cf96b606ac.jpg" } }