{ "id": "1137db65-d4b5-4421-92b2-9e9b767afc11", "created_at": "2026-04-06T00:14:06.888108Z", "updated_at": "2026-04-10T03:28:33.887047Z", "deleted_at": null, "sha1_hash": "eb3f7682f4884303e711593493b642d4438ce0bd", "title": "Night Dragon - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 32631, "plain_text": "Night Dragon - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:38:35 UTC\r\nDescription(McAfee) Starting in November 2009, coordinated covert and targeted cyberattacks have been\r\nconducted against global oil, energy, and petrochemical companies. These attacks have involved social\r\nengineering, spear-phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities,\r\nMicrosoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and\r\nharvesting sensitive competitive proprietary operations and project-financing information with regard to oil and\r\ngas field bids and operations.\r\nAttackers using several locations in China have leveraged C\u0026C servers on purchased hosted services in the\r\nUnited States and compromised servers in the Netherlands to wage attacks against global oil, gas, and\r\npetrochemical companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the United\r\nStates to acquire proprietary and highly confidential information. The primary operational technique used by the\r\nattackers comprised a variety of hacker tools, including privately developed and customized RAT tools that\r\nprovided complete remote administration capabilities to the attacker. RATs provide functions similar to Citrix or\r\nMicrosoft Windows Terminal Services, allowing a remote individual to completely control the affected system. To\r\ndeploy these tools, attackers first compromised perimeter security controls, through SQL-injection exploits of\r\nextranet web servers, as well as targeted spear-phishing attacks of mobile worker laptops, and compromising\r\ncorporate VPN accounts to penetrate the targeted company’s defensive architectures (DMZs and firewalls) and\r\nconduct reconnaissance of targeted companies’ networked computers.\r\nNight Dragon may be related to APT 18, Dynamite Panda, Wekby.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4feaae3b-b420-4bd0-ad22-1eccf413d53b\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4feaae3b-b420-4bd0-ad22-1eccf413d53b\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4feaae3b-b420-4bd0-ad22-1eccf413d53b" ], "report_names": [ "showcard.cgi?u=4feaae3b-b420-4bd0-ad22-1eccf413d53b" ], "threat_actors": [ { "id": "ea844ee6-eb12-42c0-8426-11395fe81e6f", "created_at": "2022-10-25T15:50:23.300796Z", "updated_at": "2026-04-10T02:00:05.32389Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "Night Dragon" ], "source_name": "MITRE:Night Dragon", "tools": [ "at", "gsecdump", "zwShell", "PsExec", "ASPXSpy", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "09a8f8fe-e907-47b4-8709-a97717dde3cc", "created_at": "2022-10-25T16:07:23.90252Z", "updated_at": "2026-04-10T02:00:04.783553Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "ETDA:Night Dragon", "tools": [ "ASPXSpy", "ASPXTool", "Cain \u0026 Abel", "gsecdump", "zwShell" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "020794ec-7315-47de-818c-2032c362fd15", "created_at": "2023-01-06T13:46:38.306576Z", "updated_at": "2026-04-10T02:00:02.920647Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "MISPGALAXY:Night Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434446, "ts_updated_at": 1775791713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb3f7682f4884303e711593493b642d4438ce0bd.pdf", "text": "https://archive.orkl.eu/eb3f7682f4884303e711593493b642d4438ce0bd.txt", "img": "https://archive.orkl.eu/eb3f7682f4884303e711593493b642d4438ce0bd.jpg" } }