ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Carderbee

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Carderbee

NamesCarderbee (Symantec)
CountryChina China
MotivationInformation theft and espionage
First seen2023
Description(Symantec) A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers.

In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the victims in this campaign are based in Hong Kong, with some victims based in other regions of Asia.

Korplug is known to be used by multiple APT groups, but we could not link this activity to a known threat actor so we have given the actor behind this activity a new name — Carderbee.
ObservedCountries: Hong Kong and Asia.
Tools usedCobra DocGuard, PlugX.

Last change to this card: 06 September 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]