{ "id": "690ebf85-ba51-4c7a-a77d-956eb1c8f820", "created_at": "2026-04-06T00:08:45.691795Z", "updated_at": "2026-04-10T03:33:38.16979Z", "deleted_at": null, "sha1_hash": "020b55ee3b0ddefe9cbf3a048c6e3bf169fdb16a", "title": "access-c3 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49681, "plain_text": "access-c3 - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:44:42 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool remote-access-c3\r\n Tool: remote-access-c3\r\nNames remote-access-c3\r\nCategory Malware\r\nType Backdoor, Info stealer\r\nDescription\r\n(Trend Micro) The remote-access-c3 backdoor seems to be inspired by Patchwork’s\r\nNDiskMonitor because they share some behaviors, strings, and commands. remote-access-c3\r\nis written in C++ using the Standard Template Library (STL) library. When remote-backdoor-c3 is executed, it waits for a certain time, because of its long initial time delay. It later loads\r\nand executes all modules saved in the system registry, establishes persistence via Task\r\nScheduler, and starts a beaconing thread.\r\nInformation\r\n\u003chttps://documents.trendmicro.com/assets/research-deciphering-confucius-cyberespionage-operations.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool remote-access-c3\r\nChanged Name Country Observed\r\nAPT groups\r\n  Confucius 2013-Aug 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ee3e6bbf-bb27-4e85-a430-a09a76acab17\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ee3e6bbf-bb27-4e85-a430-a09a76acab17\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ee3e6bbf-bb27-4e85-a430-a09a76acab17" ], "report_names": [ "listgroups.cgi?u=ee3e6bbf-bb27-4e85-a430-a09a76acab17" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434125, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/020b55ee3b0ddefe9cbf3a048c6e3bf169fdb16a.pdf", "text": "https://archive.orkl.eu/020b55ee3b0ddefe9cbf3a048c6e3bf169fdb16a.txt", "img": "https://archive.orkl.eu/020b55ee3b0ddefe9cbf3a048c6e3bf169fdb16a.jpg" } }