{ "id": "7529180b-e4ce-40da-b458-41a03b1c2714", "created_at": "2026-04-06T03:37:13.462682Z", "updated_at": "2026-04-12T02:21:22.47413Z", "deleted_at": null, "sha1_hash": "0891b51f6acbd41edbdfc0c241390c5bf4a33ec1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49128, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:31:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Doraemon\n Tool: Doraemon\nNames Doraemon\nCategory Malware\nType Backdoor\nDescription\n(Trend Micro) While this backdoor is already quite old, it is rarely discussed by the general\npublic. Recently mentioned by ESET in their SideWalk report, we first encountered Doraemon\naround 2016 in incidents involving Korean and Taiwanese online gaming companies. It then\ndisappeared from view for about three years until we encountered it again in 2020.\nInformation\nLast change to this tool card: 25 January 2022\nDownload this tool card in JSON format\nAll groups using tool Doraemon\nChanged Name Country Observed\nAPT groups\n Earth Lusca 2019-Sep 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cca9f97f-1567-4729-9da0-837e026dbc7f\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cca9f97f-1567-4729-9da0-837e026dbc7f\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cca9f97f-1567-4729-9da0-837e026dbc7f" ], "report_names": [ "listgroups.cgi?u=cca9f97f-1567-4729-9da0-837e026dbc7f" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-12T02:00:03.384084Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "AQUATIC PANDA", "Charcoal Typhoon", "BountyGlad", "Red Scylla", "BRONZE UNIVERSITY", "Red Dev 10", "RedHotel" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch", "RouterGod", "SprySOCKS" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-12T02:00:03.586283Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-12T02:00:04.570043Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-12T02:00:04.38245Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446633, "ts_updated_at": 1775960482, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0891b51f6acbd41edbdfc0c241390c5bf4a33ec1.pdf", "text": "https://archive.orkl.eu/0891b51f6acbd41edbdfc0c241390c5bf4a33ec1.txt", "img": "https://archive.orkl.eu/0891b51f6acbd41edbdfc0c241390c5bf4a33ec1.jpg" } }