{ "id": "28943ebb-1710-42a8-8292-f1eb15d70ca1", "created_at": "2026-04-06T00:13:32.527833Z", "updated_at": "2026-04-10T03:23:34.971526Z", "deleted_at": null, "sha1_hash": "e9e1312538536684517e9dc4e3f40260362675c5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48567, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:12:45 UTC\r\n APT group: NineBlog\r\nNames NineBlog (FireEye)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(FireEye) FireEye has been tracking ongoing activity associated with a unique and relatively\r\nstealthy group we first identified in 2013 using the name “APT.NineBlog.“ The name\r\nNINEBLOG refers to a specific backdoor used by the threat group; some versions of the\r\nbackdoor use the string ‘nineblog’ in their command and control (CnC) URI path.\r\nWe have observed this group targeting organizations primarily in South Asia and the Middle\r\nEast. The threat group is notable because it employs Visual Basic Scripts (VBScripts) as a\r\nbackdoor, a tactic we do not often observe. The group can maintain a low profile probably\r\nbecause the VBScripts are small and stealthy in their execution. The NINEBLOG malware is\r\ndifficult to detect because the VBScripts are encoded and the actors employ SSL network\r\ncommunications. We have observed intermittent activity from this group since we first\r\nidentified it in 2013, and we saw a spike in activity during mid-2015.\r\nWe assess that one of the probable targets of the group’s 2015 campaign is a Southeast Asian\r\ngovernment, based on the specificity of some of the decoy documents.\r\nIn addition to the anti-analysis techniques, the group has used SSL communications since we\r\nfirst identified this activity in 2013. The use of encrypted SSL traffic makes it extremely\r\ndifficult to develop network-based signatures to detect the malware’s communications.\r\nObserved\r\nSectors: Government.\r\nCountries: South Asia, Southeast Asia and Middle East.\r\nTools used NineBlog.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2013/08/the-curious-case-of-encoded-vb-scripts-apt-nineblog.html\u003e\r\n\u003chttps://www2.fireeye.com/rs/848-DID-242/images/rpt-southeast-asia-fall-2015.pdf\u003e\r\nLast change to this card: 01 May 2020\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c074decf-2ead-4731-8dca-4cd35cdc96af\r\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c074decf-2ead-4731-8dca-4cd35cdc96af\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c074decf-2ead-4731-8dca-4cd35cdc96af\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c074decf-2ead-4731-8dca-4cd35cdc96af" ], "report_names": [ "showcard.cgi?u=c074decf-2ead-4731-8dca-4cd35cdc96af" ], "threat_actors": [ { "id": "b3cfe392-a8df-42bc-bc9a-3233ec5d6d5f", "created_at": "2022-10-25T16:07:23.90923Z", "updated_at": "2026-04-10T02:00:04.785642Z", "deleted_at": null, "main_name": "NineBlog", "aliases": [], "source_name": "ETDA:NineBlog", "tools": [ "NineBlog" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434412, "ts_updated_at": 1775791414, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e9e1312538536684517e9dc4e3f40260362675c5.pdf", "text": "https://archive.orkl.eu/e9e1312538536684517e9dc4e3f40260362675c5.txt", "img": "https://archive.orkl.eu/e9e1312538536684517e9dc4e3f40260362675c5.jpg" } }