{ "id": "a737ca5e-a97d-4119-a052-737d0db51267", "created_at": "2026-04-06T00:13:15.121698Z", "updated_at": "2026-04-10T03:35:56.668355Z", "deleted_at": null, "sha1_hash": "12965ea92aafc407425d6cdb9a70ed76ce3b5da8", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73469, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:19:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NanoCore RAT\n Tool: NanoCore RAT\nNames\nNanoCore RAT\nNanoCore\nNancrat\nZurten\nAtros2.CKPN\nCategory Malware\nType Backdoor, Info stealer, Credential stealer\nDescription\nNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It has\nbeen used for a while by numerous criminal actors as well as by nation state threat\nactors.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 25 January 2022\nDownload this tool card in JSON format\nAll groups using tool NanoCore RAT\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b69c2d2-7c21-4b16-b039-2400387dd956\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Aggah [Unknown] 2018-Jun 2022  \r\n  APT 33, Elfin, Magnallium 2013-Apr 2024  \r\n  Gorgon Group 2017-Jul 2020  \r\n  Group5 2015  \r\n  Operation Comando [Unknown] 2018  \r\n  RevengeHotels [Unknown] 2015  \r\n  TA2722 [Unknown] 2020  \r\n  Vendetta, TA2719 2020  \r\n8 groups listed (8 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b69c2d2-7c21-4b16-b039-2400387dd956\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b69c2d2-7c21-4b16-b039-2400387dd956\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b69c2d2-7c21-4b16-b039-2400387dd956" ], "report_names": [ "listgroups.cgi?u=9b69c2d2-7c21-4b16-b039-2400387dd956" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "40451441-a311-494f-8025-fdbad7a527d4", "created_at": "2024-02-06T02:00:04.114318Z", "updated_at": "2026-04-10T02:00:03.571851Z", "deleted_at": null, "main_name": "TA2719", "aliases": [], "source_name": "MISPGALAXY:TA2719", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "9aa9b489-a297-4dbd-8601-8fc0370201a6", "created_at": "2022-10-25T16:07:23.696796Z", "updated_at": "2026-04-10T02:00:04.71508Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "ETDA:Group5", "tools": [ "Atros2.CKPN", "Bladabindi", "DroidJack", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bfae615f-cb9c-479c-b97d-ba282c322db3", "created_at": "2022-10-25T16:07:24.123308Z", "updated_at": "2026-04-10T02:00:04.874176Z", "deleted_at": null, "main_name": "RevengeHotels", "aliases": [], "source_name": "ETDA:RevengeHotels", "tools": [ "888 RAT", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Revenge RAT", "RevengeRAT", "Revetrat", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cf0704ab-99e4-44d7-96d9-3cba91339229", "created_at": "2022-10-25T15:50:23.485375Z", "updated_at": "2026-04-10T02:00:05.332806Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "Group5" ], "source_name": "MITRE:Group5", "tools": [ "njRAT", "NanoCore" ], "source_id": "MITRE", "reports": null }, { "id": "e819f7c1-855b-4834-b30c-493832336ddb", "created_at": "2022-10-25T16:07:23.939418Z", "updated_at": "2026-04-10T02:00:04.796807Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "ETDA:Operation Comando", "tools": [ "AsyncRAT", "Atros2.CKPN", "Bladabindi", "CapturaTela", "Jorik", "LimeRAT", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Socmer", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "094d8210-4c64-4457-ad97-a94fc7af7630", "created_at": "2023-01-06T13:46:38.98103Z", "updated_at": "2026-04-10T02:00:03.170376Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "MISPGALAXY:Group5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "31a4f4ad-1aa7-48c2-8b16-58d48879644c", "created_at": "2024-02-06T02:00:04.13577Z", "updated_at": "2026-04-10T02:00:03.576453Z", "deleted_at": null, "main_name": "RevengeHotels", "aliases": [], "source_name": "MISPGALAXY:RevengeHotels", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "8259735e-8dd0-462f-80ff-c265fa839b76", "created_at": "2024-02-06T02:00:04.110337Z", "updated_at": "2026-04-10T02:00:03.57093Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "MISPGALAXY:TA2722", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "0dbd3195-22ca-47c4-a3f1-aa058b06a1d9", "created_at": "2022-10-25T16:07:24.269634Z", "updated_at": "2026-04-10T02:00:04.917125Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "ETDA:TA2722", "tools": [ "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "e1e83b71-854a-4ddf-82ed-141c1d151c3c", "created_at": "2023-01-06T13:46:38.934536Z", "updated_at": "2026-04-10T02:00:03.150803Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "MISPGALAXY:Operation Comando", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434395, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12965ea92aafc407425d6cdb9a70ed76ce3b5da8.pdf", "text": "https://archive.orkl.eu/12965ea92aafc407425d6cdb9a70ed76ce3b5da8.txt", "img": "https://archive.orkl.eu/12965ea92aafc407425d6cdb9a70ed76ce3b5da8.jpg" } }