{
	"id": "2ce1bdd2-1b83-43f9-ae87-9a9ba7b82def",
	"created_at": "2026-04-06T03:37:09.50558Z",
	"updated_at": "2026-04-10T03:32:21.532428Z",
	"deleted_at": null,
	"sha1_hash": "f392eac8acd4579020d1aa8c7c5319dd29794906",
	"title": "Icefog, Dagger Panda - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66659,
	"plain_text": "Icefog, Dagger Panda - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-06 02:58:38 UTC\r\nHome \u003e List all groups \u003e Icefog, Dagger Panda\r\n APT group: Icefog, Dagger Panda\r\nNames\r\nIcefog (Kaspersky)\r\nDagger Panda (CrowdStrike)\r\nATK 23 (Thales)\r\nRed Wendigo (PWC)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2011\r\nDescription\r\n(Kaspersky) “Icefog” is an Advanced Persistent Threat that has been active since at\r\nleast 2011, targeting mostly Japan and South Korea. Known targets include\r\ngovernmental institutions, military contractors, maritime and shipbuilding groups,\r\ntelecom operators, industrial and high-tech companies and mass media. The name\r\n“Icefog” comes from a string used in the command-and-control server name in one\r\nof the samples. The command-and-control software is named “Dagger Three”, in the\r\nChinese language.\r\nDuring Icefog attacks, several other malicious tools and backdoors were uploaded to\r\nthe victims’ machines, for data exfiltration and lateral movement.\r\nThe later group RedAlpha has infrastructure overlap with Icefog.\r\nObserved\r\nSectors: Aerospace, Defense, Government, High-Tech, Maritime and Shipbuilding,\r\nMedia, Telecommunications, Utilities and others.\r\nCountries: Australia, Austria, Belarus, Canada, China, France, Germany, Hong\r\nKong, India, Italy, Japan, Kazakhstan, Malaysia, Maldives, Mongolia, Netherlands,\r\nPakistan, Philippines, Russia, Singapore, South Korea, Sri Lanka, Taiwan,\r\nTajikistan, Turkey, UK, USA, Uzbekistan.\r\nTools used 8.t Dropper, Dagger Three, Icefog, Javafog, ShadowPad Winnti.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d311b620-e98f-4210-b136-cd24749584b0\r\nPage 1 of 2\n\nOperations performed\nJan 2014\nThe Icefog APT Hits US Targets With Java Backdoor\nSince the publication of our report, the Icefog attackers went\ncompletely dark, shutting down all known command-and-control\nservers. Nevertheless, we continued to monitor the operation by\nsinkholing domains and nalyzing victim connections. During this\nmonitoring, we observed an interesting type of connection which\nseemed to indicate a Java version of Icefog, further to be referenced\nas “Javafog”.\n2015\n“TOPNEWS” Campaign\nTarget: Government, media, and finance organizations in Russia and\nMongolia.\n2016\n“APPER” Campaign\nTarget: Kazach officials.\n2018\n“WATERFIGHT” Campaign\nTarget: Water source provider, banks, and government entities in\nTurkey, India, Kazakhstan, Uzbekistan, and Tajikistan.\n2018\n“PHKIGHT” Campaign\nTarget: An unknown entity in the Philippines.\n2018/2019\n“SKYLINE” Campaign\nTarget: Organizations in Turkey and Kazakhstan.\nInformation\nLast change to this card: 10 March 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d311b620-e98f-4210-b136-cd24749584b0\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d311b620-e98f-4210-b136-cd24749584b0\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d311b620-e98f-4210-b136-cd24749584b0"
	],
	"report_names": [
		"showcard.cgi?u=d311b620-e98f-4210-b136-cd24749584b0"
	],
	"threat_actors": [
		{
			"id": "1aead86d-0c57-4e3b-b464-a69f6de20cde",
			"created_at": "2023-01-06T13:46:38.318176Z",
			"updated_at": "2026-04-10T02:00:02.925424Z",
			"deleted_at": null,
			"main_name": "DAGGER PANDA",
			"aliases": [
				"UAT-7290",
				"Red Foxtrot",
				"IceFog",
				"RedFoxtrot",
				"Red Wendigo",
				"PLA Unit 69010"
			],
			"source_name": "MISPGALAXY:DAGGER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9381a9dc-8d8e-453a-9fe5-301136ff0f83",
			"created_at": "2023-01-06T13:46:38.775762Z",
			"updated_at": "2026-04-10T02:00:03.096032Z",
			"deleted_at": null,
			"main_name": "RedAlpha",
			"aliases": [
				"DeepCliff",
				"Red Dev 3"
			],
			"source_name": "MISPGALAXY:RedAlpha",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cc8271a3-471f-4b8c-9da6-7d50f8ccabaa",
			"created_at": "2022-10-25T16:07:24.107066Z",
			"updated_at": "2026-04-10T02:00:04.868213Z",
			"deleted_at": null,
			"main_name": "RedAlpha",
			"aliases": [
				"DeepCliff",
				"Red Dev 3"
			],
			"source_name": "ETDA:RedAlpha",
			"tools": [
				"AngryRebel",
				"Bladabindi",
				"FF-RAT",
				"Farfli",
				"FormerFirstRAT",
				"Gh0st RAT",
				"Ghost RAT",
				"Jorik",
				"Moudour",
				"Mydoor",
				"NetHelp Infostealer",
				"NetHelp Striker",
				"PCRat",
				"RedAlpha",
				"ffrat",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5d9dfc61-6138-497a-b9da-33885539f19c",
			"created_at": "2022-10-25T16:07:23.720008Z",
			"updated_at": "2026-04-10T02:00:04.726002Z",
			"deleted_at": null,
			"main_name": "Icefog",
			"aliases": [
				"ATK 23",
				"Dagger Panda",
				"Icefog",
				"Red Wendigo"
			],
			"source_name": "ETDA:Icefog",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Dagger Three",
				"Fucobha",
				"Icefog",
				"Javafog",
				"POISONPLUG.SHADOW",
				"RoyalRoad",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775446629,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f392eac8acd4579020d1aa8c7c5319dd29794906.pdf",
		"text": "https://archive.orkl.eu/f392eac8acd4579020d1aa8c7c5319dd29794906.txt",
		"img": "https://archive.orkl.eu/f392eac8acd4579020d1aa8c7c5319dd29794906.jpg"
	}
}