Threat Actor Encyclopedia 

This document aims to create full profiles of all threat groups worldwide that have been identified with all research
generously shared by anti-virus and security research organizations over the years. It can be used as “threat group
cards”, as the document title suggests, to have everything together in an elaborate profile for each threat group. All dates
shown in the cards are the dates when the stated activities started, not necessarily when the reports about them came
All information in this document comes from public sources (OSINT). The difficult part of attributing campaigns to actors
has been done by those security research organizations as well. What makes this difficult is the fact that there may be
some overlap between threat groups, where they share tools or people move between groups, or when groups suddenly
change tactics or type of target.
Not all groups have been publicly documented as well as others; most groups have remained rather obscure and, of
course, not all individual campaigns resulted in public knowledge – targeted companies usually don’t welcome such
As a National CERT, ThaiCERT has a strictly neutral role and everything collected in this document does in no way signify
specific endorsements, placing blame on countries or taking sides.
With that said, compiling this document has been a tremendously interesting journey into the dark world of cybercrime and
the groups associated with it.
Note: Users of the MISP can also use the MISP Threat Actor cluster (galaxy) located at <>​