How do you use Threat Group Cards?


When analyzing security incidents we always face the question of which adversary we are possibly dealing with and what we know about their prior engagements and TTP, to get a better understanding of how to approach and what else to look for.

This document aims to create full profiles of all threat groups worldwide that have been identified with all research generously shared by anti-virus and security research organizations over the years. It can be used as “threat group cards”, as the document title suggests, to have everything together in an elaborate profile for each threat group. All dates shown in the cards are the dates when the stated activities started, not necessarily when the reports about them came out.

All information in this document comes from public sources (OSINT). The difficult part of attributing campaigns to actors has been done by those security research organizations as well. What makes this difficult is the fact that there may be some overlap between threat groups, where they share tools or people move between groups, or when groups suddenly change tactics or type of target.

Not all groups have been publicly documented as well as others; most groups have remained rather obscure and, of course, not all individual campaigns resulted in public knowledge – targeted companies usually don’t welcome such exposure.

As a National CERT, ThaiCERT has a strictly neutral role and everything collected in this document does in no way signify specific endorsements, placing blame on countries or taking sides.

With that said, compiling this document has been a tremendously interesting journey into the dark world of cybercrime and the groups associated with it.

Note: Users of the MISP can also use the MISP Threat Actor cluster (galaxy) located at