{ "id": "f2050dc0-4580-455c-9863-07e7202f917a", "created_at": "2026-04-06T00:09:24.412258Z", "updated_at": "2026-04-10T03:35:47.267097Z", "deleted_at": null, "sha1_hash": "ef5437e65c15e361db413d4974a473bc9efe51a0", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51398, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:25:00 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Spaceship\n Tool: Spaceship\nNames Spaceship\nCategory Malware\nType Exfiltration\nDescription\n(FireEye) SPACESHIP searches for files with a specified set of file extensions and\ncopies them to a removable drive. FireEye believes that SHIPSHAPE is used to copy\nSPACESHIP to a removable drive, which could be used to infect another victim\ncomputer, including an air-gapped computer. SPACESHIP is then used to steal\ndocuments from the air-gapped system, copying them to a removable drive inserted into\nthe SPACESHIP-infected system.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool Spaceship\nChanged Name Country Observed\nAPT groups\n APT 30, Override Panda 2005\n Naikon, Lotus Panda 2010-Apr 2022\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=61a36a16-f4cb-4174-9151-7c5890c874b7\nPage 1 of 2\n\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=61a36a16-f4cb-4174-9151-7c5890c874b7\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=61a36a16-f4cb-4174-9151-7c5890c874b7\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=61a36a16-f4cb-4174-9151-7c5890c874b7" ], "report_names": [ "listgroups.cgi?u=61a36a16-f4cb-4174-9151-7c5890c874b7" ], "threat_actors": [ { "id": "360f51f5-8a80-41d6-92c4-9aa042cd2732", "created_at": "2022-10-25T16:07:23.34569Z", "updated_at": "2026-04-10T02:00:04.55147Z", "deleted_at": null, "main_name": "APT 30", "aliases": [ "APT 30", "Bronze Geneva", "Bronze Sterling", "CTG-5326", "G0013", "Override Panda", "RADIUM", "Raspberry Typhoon" ], "source_name": "ETDA:APT 30", "tools": [ "BackBend", "Creamsicle", "Flashflood", "Gemcutter", "Lecna", "NetEagle", "Neteagle_Scout", "Orangeade", "ScoutEagle", "Shipshape", "ZRLnk", "norton" ], "source_id": "ETDA", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434164, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef5437e65c15e361db413d4974a473bc9efe51a0.pdf", "text": "https://archive.orkl.eu/ef5437e65c15e361db413d4974a473bc9efe51a0.txt", "img": "https://archive.orkl.eu/ef5437e65c15e361db413d4974a473bc9efe51a0.jpg" } }