{
	"id": "65e8457a-8363-41df-a9e8-297e63dd216f",
	"created_at": "2026-04-06T00:10:03.970258Z",
	"updated_at": "2026-04-10T03:30:01.604161Z",
	"deleted_at": null,
	"sha1_hash": "f138a3b92af6707d094cd701af195254254ccda5",
	"title": "Operation Jacana - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47198,
	"plain_text": "Operation Jacana - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 12:35:58 UTC\nHome \u003e List all groups \u003e Operation Jacana\n APT group: Operation Jacana\nNames Operation Jacana (ESET)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2023\nDescription\n(ESET) In February 2023, ESET researchers detected a spearphishing campaign targeting a\ngovernmental entity in Guyana. While we haven’t been able to link the campaign, which we\nnamed Operation Jacana, to any specific APT group, we believe with medium confidence that\na China-aligned threat group is behind this incident.\nIn the attack, the operators used a previously undocumented C++ backdoor that can exfiltrate\nfiles, manipulate Windows registry keys, execute CMD commands, and more. We named the\nbackdoor DinodasRAT based on the victim identifier it sends to its C\u0026C: the string always\nbegins with Din, which reminded us of the hobbit Dinodas from the Lord of the Rings.\nObserved Countries: Guyana.\nTools used DinodasRAT, Impacket, PlugX, SoftEther VPN.\nInformation Last change to this card: 13 October 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=321affd1-6d46-4886-9edd-9d2fe9705ff0\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=321affd1-6d46-4886-9edd-9d2fe9705ff0\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=321affd1-6d46-4886-9edd-9d2fe9705ff0"
	],
	"report_names": [
		"showcard.cgi?u=321affd1-6d46-4886-9edd-9d2fe9705ff0"
	],
	"threat_actors": [
		{
			"id": "61c3f4b4-afd9-4187-91c3-ba6dfeeb6470",
			"created_at": "2023-10-14T02:03:14.355977Z",
			"updated_at": "2026-04-10T02:00:04.811984Z",
			"deleted_at": null,
			"main_name": "Operation Jacana",
			"aliases": [],
			"source_name": "ETDA:Operation Jacana",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"DinodasRAT",
				"Impacket",
				"Kaba",
				"Korplug",
				"PlugX",
				"RedDelta",
				"SoftEther VPN",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"XDealer",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434203,
	"ts_updated_at": 1775791801,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f138a3b92af6707d094cd701af195254254ccda5.pdf",
		"text": "https://archive.orkl.eu/f138a3b92af6707d094cd701af195254254ccda5.txt",
		"img": "https://archive.orkl.eu/f138a3b92af6707d094cd701af195254254ccda5.jpg"
	}
}