{ "id": "d1db04fc-9904-4fad-b078-42f6015baa11", "created_at": "2026-04-06T00:17:46.184928Z", "updated_at": "2026-04-10T13:12:13.492026Z", "deleted_at": null, "sha1_hash": "0b25873852072be0632f966a9a2307b2ceea6d0a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51925, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:28:13 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SprySOCKS\r\n Tool: SprySOCKS\r\nNames SprySOCKS\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Trend Micro) Analysis of the SprySOCKS backdoor reveals some interesting findings. The\r\nbackdoor contains a marker that refers to the backdoor’s version number. We have identified\r\ntwo SprySOCKS payloads that contain two different version numbers, indicating that the\r\nbackdoor is still under development. In addition, we noticed that the implementation of the\r\ninteractive shell is likely inspired from the Linux variant of the Derusbi malware.\r\nMeanwhile, the structure of SprySOCKS’s command-and-control (C\u0026C) protocol is similar to\r\none used by the RedLeaves backdoor, a remote access trojan (RAT) reported to be infecting\r\nWindows machines. It consists of two components, the loader and the encrypted main payload.\r\nThe loader is responsible for reading, decrypting, and running the main payload.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks\u003e\r\nLast change to this tool card: 13 October 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool SprySOCKS\r\nChanged Name Country Observed\r\nAPT groups\r\n  Earth Lusca 2019-Sep 2024  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=13243f5b-af8f-4cca-92d0-fda5be8c437a\r\nPage 1 of 2\n\nRedHotel, TAG-22 2021-2022  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=13243f5b-af8f-4cca-92d0-fda5be8c437a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=13243f5b-af8f-4cca-92d0-fda5be8c437a\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=13243f5b-af8f-4cca-92d0-fda5be8c437a" ], "report_names": [ "listgroups.cgi?u=13243f5b-af8f-4cca-92d0-fda5be8c437a" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434666, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b25873852072be0632f966a9a2307b2ceea6d0a.pdf", "text": "https://archive.orkl.eu/0b25873852072be0632f966a9a2307b2ceea6d0a.txt", "img": "https://archive.orkl.eu/0b25873852072be0632f966a9a2307b2ceea6d0a.jpg" } }