{ "id": "5f8512c4-e475-4b8e-8b23-82ebaf61dd64", "created_at": "2026-04-06T00:12:14.09942Z", "updated_at": "2026-04-10T03:23:57.15287Z", "deleted_at": null, "sha1_hash": "eab7184c120118cdee688cbe5822fc0b27b931b6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44676, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:54:21 UTC\r\nHome \u003e List all groups \u003e Operation Layover\r\n APT group: Operation Layover\r\nNames Operation Layover (Talos)\r\nCountry Nigeria\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(Talos) Cisco Talos and other security researchers have recently reported on a series of\r\nmalicious campaigns targeting the aviation industry. These reports mainly center around the\r\ncrypter that hides the usage of commodity malicious remote access tools.\r\nWe decided this would be a good starting point to demonstrate how a researcher can pivot\r\nfrom the initial discovery of a RAT and eventually profile a threat actor. This post will show\r\nhow we discovered previous campaigns targeting the aviation industry, which links back to an\r\nactor that's been active for approximately six years.\r\nWe believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem\r\nto be technically sophisticated, using off-the-shelf malware since the beginning of its activities\r\nwithout developing its own malware. The actor also buys the crypters that allow the usage of\r\nsuch malware without being detected, throughout the years it has used several different\r\ncryptors, mostly bought on online forums.\r\nWe also believe with a high degree of confidence that the actor has been active for at least five\r\nyears. For the last two, they've been targeting the aviation industry, while conducting other\r\ncampaigns at the same time. Pivoting from an initial discovery is not an exact science — in\r\nthis process, a researcher must assert a certain level of confidence in these associations.\r\nObserved\r\nTools used AsyncRAT, CyberGate RAT, njRAT.\r\nInformation \u003chttps://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html\u003e\r\nLast change to this card: 02 November 2021\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c999046-a518-4df5-acc2-b96146331ac7\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c999046-a518-4df5-acc2-b96146331ac7\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c999046-a518-4df5-acc2-b96146331ac7\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3c999046-a518-4df5-acc2-b96146331ac7" ], "report_names": [ "showcard.cgi?u=3c999046-a518-4df5-acc2-b96146331ac7" ], "threat_actors": [ { "id": "4f5da0b4-5d47-4ae4-87cb-dfcb3c3524ae", "created_at": "2022-10-25T16:07:23.96921Z", "updated_at": "2026-04-10T02:00:04.812941Z", "deleted_at": null, "main_name": "Operation Layover", "aliases": [], "source_name": "ETDA:Operation Layover", "tools": [ "AsyncRAT", "Bladabindi", "CyberGate", "CyberGate RAT", "Jorik", "Rebhip", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434334, "ts_updated_at": 1775791437, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eab7184c120118cdee688cbe5822fc0b27b931b6.pdf", "text": "https://archive.orkl.eu/eab7184c120118cdee688cbe5822fc0b27b931b6.txt", "img": "https://archive.orkl.eu/eab7184c120118cdee688cbe5822fc0b27b931b6.jpg" } }