{ "id": "e206967b-920c-40dd-a03c-a516bfce27d6", "created_at": "2026-04-06T00:14:07.3217Z", "updated_at": "2026-04-10T13:12:33.014744Z", "deleted_at": null, "sha1_hash": "085211f3bb12545d07d59109efe2aad15ef00bea", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48710, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:09:02 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Octopus\n Tool: Octopus\nNames Octopus\nCategory Malware\nType Backdoor\nDescription\n(Kaspersky) The name was originally coined by ESET in 2017 after the 0ct0pus3.php\nscript used by the actor on their old C2 servers.\nIn the case of Octopus, DustSquad used Delphi as their programming language of\nchoice, which is unusual for such an actor.\nIn April 2018 we discovered a new Octopus sample pretending to be Telegram\nMessenger with a Russian interface. We couldn´t find any legitimate software that this\nmalware appears to be impersonating; in fact, we don´t believe it exists. The Trojan uses\nthird-party Delphi libraries like The Indy Project for JSON-based C2 communications\nand TurboPower Abbrevia (sourceforge.net/projects/tpabbrevia) for compression.\nMalware persistence is basic and achieved via the system registry. The server side uses\ncommercial hosting in different countries with .php scripts deployed.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool Octopus\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d3bf55f-402e-4122-a52b-196aed8e6507\nPage 1 of 2\n\nDustSquad, Golden Falcon 2014-2020  \r\n  LazyScripter [Unknown] 2018  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d3bf55f-402e-4122-a52b-196aed8e6507\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d3bf55f-402e-4122-a52b-196aed8e6507\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3d3bf55f-402e-4122-a52b-196aed8e6507" ], "report_names": [ "listgroups.cgi?u=3d3bf55f-402e-4122-a52b-196aed8e6507" ], "threat_actors": [ { "id": "978775b9-369d-44f7-8a42-76d7b9cb42d5", "created_at": "2022-10-25T15:50:23.846105Z", "updated_at": "2026-04-10T02:00:05.36378Z", "deleted_at": null, "main_name": "Nomadic Octopus", "aliases": [ "Nomadic Octopus", "DustSquad" ], "source_name": "MITRE:Nomadic Octopus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b20281dd-8cc4-4284-b85c-f98c7e09ae48", "created_at": "2022-10-25T15:50:23.642844Z", "updated_at": "2026-04-10T02:00:05.392724Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "LazyScripter" ], "source_name": "MITRE:LazyScripter", "tools": [ "Remcos", "QuasarRAT", "njRAT", "ngrok", "Koadic", "KOCTOPUS" ], "source_id": "MITRE", "reports": null }, { "id": "70661552-6715-4750-bf4e-527055d3e7b4", "created_at": "2023-11-08T02:00:07.114392Z", "updated_at": "2026-04-10T02:00:03.417207Z", "deleted_at": null, "main_name": "DustSquad", "aliases": [ "Nomadic Octopus" ], "source_name": "MISPGALAXY:DustSquad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "712fc9fa-4283-431b-882c-5e0de9c12452", "created_at": "2022-10-25T16:07:23.770209Z", "updated_at": "2026-04-10T02:00:04.745132Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "G0140" ], "source_name": "ETDA:LazyScripter", "tools": [ "Adwind", "Adwind RAT", "Alien Spy", "AlienSpy", "Bladabindi", "CinaRAT", "EmPyre", "EmpireProject", "Empoder", "Frutas", "Gussdoor", "Invoke-Ngrok", "JBifrost RAT", "JSocket", "Jorik", "KOCTOPUS", "Koadic", "Luminosity RAT", "LuminosityLink", "Nishang", "PowerShell Empire", "Quasar RAT", "QuasarRAT", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "RuRAT", "Sockrat", "Socmer", "Trojan.Maljava", "UnReCoM", "Unknown RAT", "Unrecom", "Yggdrasil", "jBiFrost", "jConnectPro RAT", "jFrutas", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8b1844c0-671a-41e0-abb1-8abc556738b5", "created_at": "2023-01-06T13:46:39.074954Z", "updated_at": "2026-04-10T02:00:03.2046Z", "deleted_at": null, "main_name": "APT-C-34", "aliases": [ "Golden Falcon" ], "source_name": "MISPGALAXY:APT-C-34", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6fe4b4f-9694-4ffc-94ef-a0cc5aef94d9", "created_at": "2022-10-25T16:07:23.556112Z", "updated_at": "2026-04-10T02:00:04.655561Z", "deleted_at": null, "main_name": "DustSquad", "aliases": [ "APT-C-34", "DustSquad", "G0133", "Golden Falcon", "Nomadic Octopus" ], "source_name": "ETDA:DustSquad", "tools": [ "Garpun", "Paperbug", "Remote Control System" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434447, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/085211f3bb12545d07d59109efe2aad15ef00bea.pdf", "text": "https://archive.orkl.eu/085211f3bb12545d07d59109efe2aad15ef00bea.txt", "img": "https://archive.orkl.eu/085211f3bb12545d07d59109efe2aad15ef00bea.jpg" } }