{ "id": "2538dc0f-b5a4-4e06-9b2a-08173e59717a", "created_at": "2026-04-06T01:31:29.213932Z", "updated_at": "2026-04-10T03:36:22.13603Z", "deleted_at": null, "sha1_hash": "1301bddca12a3c9baeee5996fa37980bff8d1b81", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48959, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:08:22 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Salgorea\r\n Tool: Salgorea\r\nNames\r\nSalgorea\r\nBadCake\r\nCategory Malware\r\nType Reconnaissance, Backdoor\r\nDescription\r\n(Accenture) This backdoor is commonly dropped by either an SFX or an exploit document\r\n(e.g. Microsoft Corp. Word or PDF file).\r\nSome of this backdoor’s observed capabilities include:\r\n• Arbitrary file, process and registration creation\r\n• Fingerprinting the local machine\r\n• Running arbitrary shellcode\r\nOnce dropped, it is usually divided into multiple components in order to be side-loaded, in a\r\nfashion similar to other remote access tools including PlugX and NetTraveler.\r\nInformation \u003chttps://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Salgorea\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 32, OceanLotus, SeaLotus 2013-Aug 2024\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4e1fbba-2e37-453c-b688-420e2bb03cdd\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4e1fbba-2e37-453c-b688-420e2bb03cdd\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4e1fbba-2e37-453c-b688-420e2bb03cdd\r\nPage 2 of 2\n\nAPT groups APT 32, OceanLotus, SeaLotus 2013-Aug 2024 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a4e1fbba-2e37-453c-b688-420e2bb03cdd" ], "report_names": [ "listgroups.cgi?u=a4e1fbba-2e37-453c-b688-420e2bb03cdd" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439089, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1301bddca12a3c9baeee5996fa37980bff8d1b81.pdf", "text": "https://archive.orkl.eu/1301bddca12a3c9baeee5996fa37980bff8d1b81.txt", "img": "https://archive.orkl.eu/1301bddca12a3c9baeee5996fa37980bff8d1b81.jpg" } }