ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Nightshade Panda, APT 9, Group 27

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Nightshade Panda, APT 9, Group 27

NamesNightshade Panda (CrowdStrike)
APT 9 (Mandiant)
Group 27 (ASERT)
FlowerLady (Context)
FlowerShow (Context)
CountryChina China
MotivationInformation theft and espionage
First seen2013
Description(Softpedia) Arbor’s ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the group’s activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors.

Named Trochilus, this new RAT was part of Group 27’s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.

This collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.
ObservedSectors: Energy, Government, Media, Utilities.
Countries: Myanmar, Thailand, USA and Europe.
Tools used3102 RAT, 9002 RAT, EvilGrab RAT, MoonWind RAT, PlugX, Poison Ivy, Trochilus RAT.
Operations performedMay 2015Operation “Seven Pointed Dagger”
During that campaign, the threat actor identified as Group 27 used watering hole attacks on official Myanmar government websites to infect unsuspecting users with the PlugX malware (an RAT) when accessing information on the upcoming Myanmar elections.
May 2015Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
Sep 2016From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. We chose the name ‘MoonWind’ based on debugging strings we saw within the samples, as well as the compiler used to generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past.

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Night Dragon
Next: NineBlog

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]