{ "id": "b3bc29f5-f81e-4251-9dff-95d30358c6eb", "created_at": "2026-04-06T00:07:09.121916Z", "updated_at": "2026-04-10T03:29:29.115971Z", "deleted_at": null, "sha1_hash": "ff21fec3a95621266d0837f5f4c6e22a7dfd05be", "title": "APT 18, Dynamite Panda, Wekby", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60903, "plain_text": "APT 18, Dynamite Panda, Wekby\r\nArchived: 2026-04-05 16:06:38 UTC\r\nHome \u003e List all groups \u003e APT 18, Dynamite Panda, Wekby\r\n APT group: APT 18, Dynamite Panda, Wekby\r\nNames\r\nAPT 18 (Mandiant)\r\nDynamite Panda (CrowdStrike)\r\nTG-0416 (SecureWorks)\r\nWekby (Palo Alto)\r\nScandium (Microsoft)\r\nSatin Typhoon (Microsoft)\r\nRed Wraith (PWC)\r\nSILVERVIPER (?)\r\nG0026 (MITRE)\r\nCountry China\r\nSponsor State-sponsored, PLA Navy\r\nMotivation Information theft and espionage\r\nFirst seen 2009\r\nDescription\r\nWekby was described by Palo Alto Networks in a 2016 report as: ‘Wekby is a group\r\nthat has been active for a number of years, targeting various industries such as\r\nhealthcare, telecommunications, aerospace, defense, and high tech. The group is\r\nknown to leverage recently released exploits very shortly after those exploits are\r\navailable, such as in the case of Hacking Team’s Flash zero-day exploit.’\r\nThis threat group has been seen since 2009.\r\nAPT 18 may be related to Night Dragon and/or Nitro, Covert Grove.\r\nObserved\r\nSectors: Aerospace, Construction, Defense, Education, Engineering, Healthcare,\r\nHigh-Tech, Telecommunications, Transportation and Biotechnology.\r\nCountries: USA.\r\nTools used\r\nAtNow, Gh0st RAT, hcdLoader, HTTPBrowser, Pisloader, StickyFingers and 0-day\r\nexploits for Flash.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=aa2f3420-e239-4b0c-9066-c6f5804de6a8\r\nPage 1 of 2\n\nOperations performed\nApr 2014\nCommunity Health Systems data breach\nJun 2015\nAttacks using DNS Requests as Command and Control Mechanism\nMethod: Phishing with obfuscated variants of the HTTPBrowser\ntool.\nMay 2016\nAttacks using DNS Requests as Command and Control Mechanism\nTarget: Organizations in the USA.\nMethod: Phishing with Pisloader dropper.\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=aa2f3420-e239-4b0c-9066-c6f5804de6a8\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=aa2f3420-e239-4b0c-9066-c6f5804de6a8\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=aa2f3420-e239-4b0c-9066-c6f5804de6a8" ], "report_names": [ "showcard.cgi?u=aa2f3420-e239-4b0c-9066-c6f5804de6a8" ], "threat_actors": [ { "id": "ea844ee6-eb12-42c0-8426-11395fe81e6f", "created_at": "2022-10-25T15:50:23.300796Z", "updated_at": "2026-04-10T02:00:05.32389Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "Night Dragon" ], "source_name": "MITRE:Night Dragon", "tools": [ "at", "gsecdump", "zwShell", "PsExec", "ASPXSpy", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "09a8f8fe-e907-47b4-8709-a97717dde3cc", "created_at": "2022-10-25T16:07:23.90252Z", "updated_at": "2026-04-10T02:00:04.783553Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "ETDA:Night Dragon", "tools": [ "ASPXSpy", "ASPXTool", "Cain \u0026 Abel", "gsecdump", "zwShell" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "020794ec-7315-47de-818c-2032c362fd15", "created_at": "2023-01-06T13:46:38.306576Z", "updated_at": "2026-04-10T02:00:02.920647Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "MISPGALAXY:Night Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac8fb39-1ad4-407c-bf51-249751a575ba", "created_at": "2023-01-06T13:46:38.337728Z", "updated_at": "2026-04-10T02:00:02.933527Z", "deleted_at": null, "main_name": "SAMURAI PANDA", "aliases": [ "PLA Navy", "Wisp Team" ], "source_name": "MISPGALAXY:SAMURAI PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434029, "ts_updated_at": 1775791769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff21fec3a95621266d0837f5f4c6e22a7dfd05be.pdf", "text": "https://archive.orkl.eu/ff21fec3a95621266d0837f5f4c6e22a7dfd05be.txt", "img": "https://archive.orkl.eu/ff21fec3a95621266d0837f5f4c6e22a7dfd05be.jpg" } }