{ "id": "5a04c0bd-db31-4980-b7b6-3e482e22c960", "created_at": "2026-04-06T00:09:45.169689Z", "updated_at": "2026-04-10T13:12:28.401918Z", "deleted_at": null, "sha1_hash": "fbc9c98c410b3ab22d58221b23fa0401cb274150", "title": "Operation Crimson Palace - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48253, "plain_text": "Operation Crimson Palace - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 14:34:03 UTC\nHome \u003e List all groups \u003e Operation Crimson Palace\n APT group: Operation Crimson Palace\nNames Operation Crimson Palace (Sophos)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(Sophos) In May 2023, in a threat hunt across Sophos Managed Detection and Response\ntelemetry, Sophos MDR’s Mark Parsons uncovered a complex, long-running Chinese state-sponsored cyberespionage operation we have dubbed “Crimson Palace” targeting a high-profile government organization in Southeast Asia.\nMDR launched the hunt after the discovery of a DLL sideloading technique that exploited\nVMNat.exe, a VMware component. In the investigation that followed, we tracked at least three\nclusters of intrusion activity from March 2023 to December 2023. The hunt also uncovered\npreviously unreported malware associated with the threat clusters, as well as a new, improved\nvariant of the previously-reported EAGERBEE malware. In line with our standard internal\nnomenclature, Sophos tracks these clusters as Cluster Alpha (STAC1248), Cluster Bravo\n(STAC1807), and Cluster Charlie (STAC1305).\nObserved Countries: Southeast Asia.\nTools used\nInformation\nLast change to this card: 23 October 2024\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=38628e2b-0ecc-4da0-95aa-becc21561bfb\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=38628e2b-0ecc-4da0-95aa-becc21561bfb\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=38628e2b-0ecc-4da0-95aa-becc21561bfb\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=38628e2b-0ecc-4da0-95aa-becc21561bfb" ], "report_names": [ "showcard.cgi?u=38628e2b-0ecc-4da0-95aa-becc21561bfb" ], "threat_actors": [ { "id": "f0294b63-fb00-41cc-81db-ec7c8d4bb0ca", "created_at": "2024-06-20T02:02:09.94215Z", "updated_at": "2026-04-10T02:00:04.797664Z", "deleted_at": null, "main_name": "Operation Crimson Palace", "aliases": [], "source_name": "ETDA:Operation Crimson Palace", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fbc9c98c410b3ab22d58221b23fa0401cb274150.pdf", "text": "https://archive.orkl.eu/fbc9c98c410b3ab22d58221b23fa0401cb274150.txt", "img": "https://archive.orkl.eu/fbc9c98c410b3ab22d58221b23fa0401cb274150.jpg" } }