Threat Intelligence Tarot
wands · 13
Unknown (Southeast Asia region, suspected state-linked)
G1022★★★★★
risk 4/5
✦ The Mercenary Wing ✦
Yellow Garuda
ToddyCat
Asian governmentsMilitary organizationsEuropean diplomatic missions in Asia
Active since ~2020 · Southeast Asian government espionage, High-value target compromise, Persistent access
The Mercenary Wing moves quietly through the governments of Southeast Asia - a region where attribution is contested, allies shift, and no single power dominates the intelligence landscape. It leaves custom implants in diplomatic networks and military ministries, and it does not announce itself.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Microsoft Exchange exploitation targeting Asian government ministries
- ◆Persistent access campaigns across Southeast Asian defense organizations
- ◆Ninja and Samurai malware framework deployment
- ◆European diplomatic missions in Asia targeted
Defenses
- ▸Microsoft Exchange patching and hardening, IIS monitoringCIS Control 7 ↗
- ▸Web shell detection via file integrity monitoringNIST CSF: DE.CM ↗
- ▸Lateral movement detection for SMB and admin share accessCIS Control 13 ↗
- ▸Diplomatic network segmentation from general IT infrastructureCIS Control 12 ↗
Reversed: Their Weakness
Yellow Garuda's relatively recent emergence and limited public attribution means the defensive community has had less time to build detection signatures - its novel malware frameworks like Ninja give it operational advantages that decay as analysis matures.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.