{ "id": "4960d4af-0668-459e-ba87-6991eeac0585", "created_at": "2026-04-06T00:13:22.740711Z", "updated_at": "2026-04-10T13:12:53.794124Z", "deleted_at": null, "sha1_hash": "06b584e63884739f491f3a0776823bfd55b1d93f", "title": "Aria-body loader - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50170, "plain_text": "Aria-body loader - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 15:17:43 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Aria-body loader\n Tool: Aria-body loader\nNames Aria-body loader\nCategory Malware\nType Loader\nDescription\n(Check Point) The functionality of the Aria-body loader has not changed significantly since\n2017, but the implementation varied from version to version. This loader appears to be\nspecifically created for the Aria-body backdoor.\nOverall, the loader is responsible for the following tasks:\n• Establish persistence via the Startup folder or theRun registry key (some variants).\n• Inject itself to another process such as rundll32.exe and dllhost.exe (some variants).\n• Decrypt two blobs: Import Table and the loader configuration.\n• Utilize a DGA algorithm if required.\n• Contact the embedded / calculated C\u0026C address in order to retrieve the next stage payload.\n• Decrypt the received payload DLL (Aria-body backdoor).\n• Load and execute an exported function of the DLL – calculated using djb2 hashing\nalgorithm.\nInformation Malpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool Aria-body loader\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5eaa1038-46a4-4d05-8982-25ef7e1cf077\nPage 1 of 2\n\nAPT groups\r\n  Naikon, Lotus Panda 2010-Apr 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5eaa1038-46a4-4d05-8982-25ef7e1cf077\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5eaa1038-46a4-4d05-8982-25ef7e1cf077\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5eaa1038-46a4-4d05-8982-25ef7e1cf077" ], "report_names": [ "listgroups.cgi?u=5eaa1038-46a4-4d05-8982-25ef7e1cf077" ], "threat_actors": [ { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434402, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06b584e63884739f491f3a0776823bfd55b1d93f.pdf", "text": "https://archive.orkl.eu/06b584e63884739f491f3a0776823bfd55b1d93f.txt", "img": "https://archive.orkl.eu/06b584e63884739f491f3a0776823bfd55b1d93f.jpg" } }