{ "id": "81362dbb-7932-49d4-904d-5667408894b9", "created_at": "2026-04-06T01:30:00.592005Z", "updated_at": "2026-04-10T03:34:15.518169Z", "deleted_at": null, "sha1_hash": "0e0b927f1048849ff49f65f427d8042d253c6221", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60566, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:06:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Matryoshka RAT\n Tool: Matryoshka RAT\nNames\nMatryoshka RAT\nMatryoshka\nCategory Malware\nType Backdoor, Dropper, Loader, Info stealer\nDescription\n(ClearSky) The Matryoshka infection framework is built of three parts:\n• Dropper\no Obfuscating code and signaling to the C2 that the file has been executed\no Launching the loader and using it to execute functions.\no Comparing anti-analysis logic and reporting it back to C2\n• Reflective Loader\no Employing anti-debugging and anti-sandboxing techniques\no Runtime API Address resolver\no Covert DLL injection of the RAT library\no Persistence file on disk\n• RAT component\no Configuring the Reflective Loader to survive reboots and process exits\no DNS Command and Control communication\no Common RAT functionalities\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dc27057d-c0bb-48f2-a418-4293b46366fc\nPage 1 of 2\n\nAll groups using tool Matryoshka RAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  CopyKittens, Slayer Kitten 2013-Jan 2017  \r\n  Magic Hound, APT 35, Cobalt Illusion, Charming Kitten 2012-Jun 2025\r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dc27057d-c0bb-48f2-a418-4293b46366fc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dc27057d-c0bb-48f2-a418-4293b46366fc\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dc27057d-c0bb-48f2-a418-4293b46366fc" ], "report_names": [ "listgroups.cgi?u=dc27057d-c0bb-48f2-a418-4293b46366fc" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fb19abe-4035-4f22-a595-641b7f3443a9", "created_at": "2022-10-25T15:50:23.748944Z", "updated_at": "2026-04-10T02:00:05.395401Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens" ], "source_name": "MITRE:CopyKittens", "tools": [ "Cobalt Strike", "TDTESS", "Matryoshka" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f4557ed9-2455-44c5-a768-dfb80ccae259", "created_at": "2023-01-06T13:46:38.652329Z", "updated_at": "2026-04-10T02:00:03.055638Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "Slayer Kitten", "G0052" ], "source_name": "MISPGALAXY:CopyKittens", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "467c5e72-55a6-40a9-9b73-bb764889c0a5", "created_at": "2022-10-25T16:07:23.486532Z", "updated_at": "2026-04-10T02:00:04.628477Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens", "G0052", "Operation Wilted Tulip", "Slayer Kitten" ], "source_name": "ETDA:CopyKittens", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EmPyre", "EmpireProject", "Matryoshka", "Matryoshka RAT", "PowerShell Empire", "TDTESS", "Vminst", "ZPP", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439000, "ts_updated_at": 1775792055, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e0b927f1048849ff49f65f427d8042d253c6221.pdf", "text": "https://archive.orkl.eu/0e0b927f1048849ff49f65f427d8042d253c6221.txt", "img": "https://archive.orkl.eu/0e0b927f1048849ff49f65f427d8042d253c6221.jpg" } }