{ "id": "11d7e217-1bb8-4bdb-945b-fda1bd0cbd26", "created_at": "2026-04-06T00:14:19.487091Z", "updated_at": "2026-04-10T13:11:30.022891Z", "deleted_at": null, "sha1_hash": "0480e259159ced43c5e3d50c141194ebd395a6d9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52741, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:27:07 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Ragnatela\n Tool: Ragnatela\nNames\nRagnatela\nRagnatela RAT\nCategory Malware\nType Backdoor, Info stealer, Keylogger, Downloader, Exfiltration\nDescription\n(Malwarebytes) We identified what we believe is a new variant of the BADNEWS RAT called\nRagnatela being distributed via spear phishing emails to targets of interest in Pakistan.\nRagnatela, which means spider web in Italian, is also the project name and panel used by\nPatchwork APT.\nRagnatela RAT was built sometime in late November as seen in its Program Database (PDB)\npath “E:\\new_ops\\jlitest __change_ops -29no – Copy\\Release\\jlitest.pdb”. It features the\nfollowing capabilities:\n• Executing commands via cmd\n• Capturing screenshots\n• Logging Keystrokes\n• Collecting list of all the files in victim’s machine\n• Collecting list of the running applications in the victim’s machine at a specific time periods\n• Downing addition payloads\n• Uploading files\nInformation\nLast change to this tool card: 25 January 2022\nDownload this tool card in JSON format\nAll groups using tool Ragnatela\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e9285ec-5ef6-4191-b13a-7c871bfb6e9f\nPage 1 of 2\n\nAPT groups\r\n  Patchwork, Dropping Elephant 2013-Jun 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e9285ec-5ef6-4191-b13a-7c871bfb6e9f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e9285ec-5ef6-4191-b13a-7c871bfb6e9f\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e9285ec-5ef6-4191-b13a-7c871bfb6e9f" ], "report_names": [ "listgroups.cgi?u=2e9285ec-5ef6-4191-b13a-7c871bfb6e9f" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434459, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0480e259159ced43c5e3d50c141194ebd395a6d9.pdf", "text": "https://archive.orkl.eu/0480e259159ced43c5e3d50c141194ebd395a6d9.txt", "img": "https://archive.orkl.eu/0480e259159ced43c5e3d50c141194ebd395a6d9.jpg" } }