{
	"id": "a8fb6ba5-4f0a-4943-a3b4-901d46fc7ffc",
	"created_at": "2026-04-06T00:09:54.733767Z",
	"updated_at": "2026-04-10T13:13:00.757525Z",
	"deleted_at": null,
	"sha1_hash": "05e5431ef4147baa60bc5b6e3c37691064e93b0c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49218,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:56:22 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool FoundCore\n Tool: FoundCore\nNames\nFoundCore\nRainyDay\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Kaspersky) Communications with the server can take place either over raw TCP sockets\nencrypted with RC4, or via HTTPS. Commands supported by FoundCore include filesystem\nmanipulation, process manipulation, screenshot captures and arbitrary command execution.\nInformation\nLast change to this tool card: 15 May 2021\nDownload this tool card in JSON format\nAll groups using tool FoundCore\nChanged Name Country Observed\nAPT groups\n Goblin Panda, Cycldek, Conimes 2013-Jun 2020\n Naikon, Lotus Panda 2010-Apr 2022\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd134b1c-5367-4606-a171-2ab6a45ef77f\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd134b1c-5367-4606-a171-2ab6a45ef77f\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd134b1c-5367-4606-a171-2ab6a45ef77f"
	],
	"report_names": [
		"listgroups.cgi?u=fd134b1c-5367-4606-a171-2ab6a45ef77f"
	],
	"threat_actors": [
		{
			"id": "b69484be-98d1-49e6-aed1-a28dbf65176a",
			"created_at": "2022-10-25T16:07:23.886782Z",
			"updated_at": "2026-04-10T02:00:04.779029Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"G0019",
				"Hellsing",
				"ITG06",
				"Lotus Panda",
				"Naikon",
				"Operation CameraShy"
			],
			"source_name": "ETDA:Naikon",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"AR",
				"ARL",
				"Agent.dhwf",
				"Aria-body",
				"Aria-body loader",
				"Asset Reconnaissance Lighthouse",
				"BackBend",
				"Creamsicle",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"Flashflood",
				"FoundCore",
				"Gemcutter",
				"HDoor",
				"JadeRAT",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LadonGo",
				"Lecna",
				"Living off the Land",
				"NBTscan",
				"Naikon",
				"NetEagle",
				"Neteagle_Scout",
				"NewCore RAT",
				"Orangeade",
				"PlugX",
				"Quarks PwDump",
				"RARSTONE",
				"RainyDay",
				"RedDelta",
				"RoyalRoad",
				"Sacto",
				"Sandboxie",
				"ScoutEagle",
				"Shipshape",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"SslMM",
				"Sys10",
				"TIGERPLUG",
				"TVT",
				"TeamViewer",
				"Thoper",
				"WinMM",
				"Xamtrav",
				"XsFunction",
				"ZRLnk",
				"nbtscan",
				"nokian",
				"norton",
				"xsControl",
				"xsPlus"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32",
			"created_at": "2023-04-20T02:01:50.979595Z",
			"updated_at": "2026-04-10T02:00:02.913011Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"BRONZE STERLING",
				"G0013",
				"PLA Unit 78020",
				"OVERRIDE PANDA",
				"Camerashy",
				"BRONZE GENEVA",
				"G0019",
				"Naikon"
			],
			"source_name": "MISPGALAXY:Naikon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf",
			"created_at": "2022-10-25T15:50:23.31611Z",
			"updated_at": "2026-04-10T02:00:05.370146Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"Naikon"
			],
			"source_name": "MITRE:Naikon",
			"tools": [
				"ftp",
				"netsh",
				"WinMM",
				"Systeminfo",
				"RainyDay",
				"RARSTONE",
				"HDoor",
				"Sys10",
				"SslMM",
				"PsExec",
				"Tasklist",
				"Aria-body"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea",
			"created_at": "2023-01-06T13:46:39.444946Z",
			"updated_at": "2026-04-10T02:00:03.331753Z",
			"deleted_at": null,
			"main_name": "GOBLIN PANDA",
			"aliases": [
				"Conimes",
				"Cycldek"
			],
			"source_name": "MISPGALAXY:GOBLIN PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62",
			"created_at": "2025-08-07T02:03:24.604463Z",
			"updated_at": "2026-04-10T02:00:03.798481Z",
			"deleted_at": null,
			"main_name": "BRONZE GENEVA",
			"aliases": [
				"APT30 ",
				"BRONZE STERLING ",
				"CTG-5326 ",
				"Naikon ",
				"Override Panda ",
				"RADIUM ",
				"Raspberry Typhoon"
			],
			"source_name": "Secureworks:BRONZE GENEVA",
			"tools": [
				"Lecna Downloader",
				"Nebulae",
				"ShadowPad"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39",
			"created_at": "2022-10-25T16:07:23.690871Z",
			"updated_at": "2026-04-10T02:00:04.709966Z",
			"deleted_at": null,
			"main_name": "Goblin Panda",
			"aliases": [
				"1937CN",
				"Conimes",
				"Cycldek",
				"Goblin Panda"
			],
			"source_name": "ETDA:Goblin Panda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"BackDoor-FBZT!52D84425CDF2",
				"BlueCore",
				"BrowsingHistoryView",
				"ChromePass",
				"CoreLoader",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"DropPhone",
				"FoundCore",
				"HDoor",
				"HTTPTunnel",
				"JsonCookies",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"NBTscan",
				"NewCore RAT",
				"PlugX",
				"ProcDump",
				"PsExec",
				"QCRat",
				"RainyDay",
				"RedCore",
				"RedDelta",
				"RoyalRoad",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Win32.Staser.ytq",
				"USBCulprit",
				"Win32/Zegost.BW",
				"Xamtrav",
				"ZeGhost",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05e5431ef4147baa60bc5b6e3c37691064e93b0c.pdf",
		"text": "https://archive.orkl.eu/05e5431ef4147baa60bc5b6e3c37691064e93b0c.txt",
		"img": "https://archive.orkl.eu/05e5431ef4147baa60bc5b6e3c37691064e93b0c.jpg"
	}
}