{ "id": "e5619b86-c9a7-4aca-9f8e-a752d7f6510a", "created_at": "2026-04-06T00:08:11.433762Z", "updated_at": "2026-04-10T03:35:26.842672Z", "deleted_at": null, "sha1_hash": "ede632f39cc447fb97670becc8bd084429063925", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45057, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:41:52 UTC\r\n APT group: Hydrochasma\r\nNames Hydrochasma (Symantec)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2022\r\nDescription\r\n(Symantec) Shipping companies and medical laboratories in Asia are being targeted in a likely\r\nintelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools.\r\nHydrochasma, the threat actor behind this campaign, has not been linked to any previously\r\nidentified group, but appears to have a possible interest in industries that may be involved in\r\nCOVID-19-related treatments or vaccines.\r\nThis activity has been ongoing since at least October 2022. While Symantec, by Broadcom\r\nSoftware, did not see any data being exfiltrated in this campaign, the targets, as well as some\r\nof the tools used, indicate that the most likely motivation in this campaign is intelligence\r\ngathering.\r\nObserved\r\nSectors: Healthcare, Shipping and Logistics.\r\nCountries: Asia.\r\nTools used\r\nBrowserGhost, Cobalt Strike, GO Simple Tunnel, HackBrowserData, ProcDump, SoftEther\r\nVPN, Living off the Land.\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering\u003e\r\nLast change to this card: 25 April 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4adfaa81-56ce-462d-b1ea-d88312b4b937\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4adfaa81-56ce-462d-b1ea-d88312b4b937\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4adfaa81-56ce-462d-b1ea-d88312b4b937" ], "report_names": [ "showcard.cgi?u=4adfaa81-56ce-462d-b1ea-d88312b4b937" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a7e1c40-e88e-49ca-97d1-ec65a306eb7a", "created_at": "2023-04-27T02:04:44.903564Z", "updated_at": "2026-04-10T02:00:04.724185Z", "deleted_at": null, "main_name": "Hydrochasma", "aliases": [], "source_name": "ETDA:Hydrochasma", "tools": [ "Agentemis", "BrowserGhost", "Cobalt Strike", "CobaltStrike", "GO Simple Tunnel", "GOST", "HackBrowserData", "LOLBAS", "LOLBins", "Living off the Land", "ProcDump", "SoftEther VPN", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434091, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ede632f39cc447fb97670becc8bd084429063925.pdf", "text": "https://archive.orkl.eu/ede632f39cc447fb97670becc8bd084429063925.txt", "img": "https://archive.orkl.eu/ede632f39cc447fb97670becc8bd084429063925.jpg" } }