{ "id": "73264f78-fffe-4b54-9bce-14b3d2276a4b", "created_at": "2026-04-06T00:18:23.307255Z", "updated_at": "2026-04-10T03:29:58.974232Z", "deleted_at": null, "sha1_hash": "16701c394c4c97ff921252723d96a8b5022938b0", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50189, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:36:05 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool 3102 RAT\n Tool: 3102 RAT\nNames 3102 RAT\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Palo Alto) On May 6 and May 11, 2015, Unit 42 observed two targeted attacks, the first\nagainst the U.S. government and the second on a European media company. Threat actors\ndelivered the same document via spear-phishing emails to both organizations. The actors\nweaponized the delivery document to install a variant of the ‘9002 RAT’ Trojan called ‘3102’\nthat heavily relies on plugins to provide functionality needed by the actors to carry out on their\nobjectives.\nThe 3102 payload used in this attack also appears to be related to the EvilGrab RAT payload\ndelivered in the watering hole attack hosted on the President of Myanmar’s website in May\n2015. Additionally, we uncovered ties between the C2 infrastructure and individuals in China\nactive in online hacking forums that claim to work in Trojan development.\nInformation\nLast change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool 3102 RAT\nChanged Name Country Observed\nAPT groups\n Nightshade Panda, APT 9, Group 27 2013-Sep 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fae56cde-ba06-490d-be43-2b637ac32ac0\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fae56cde-ba06-490d-be43-2b637ac32ac0\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fae56cde-ba06-490d-be43-2b637ac32ac0\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fae56cde-ba06-490d-be43-2b637ac32ac0" ], "report_names": [ "listgroups.cgi?u=fae56cde-ba06-490d-be43-2b637ac32ac0" ], "threat_actors": [ { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e79324a2-bdae-4dc5-9421-578a59045288", "created_at": "2022-10-25T16:07:23.906087Z", "updated_at": "2026-04-10T02:00:04.784657Z", "deleted_at": null, "main_name": "Nightshade Panda", "aliases": [ "APT 9", "FlowerLady", "FlowerShow", "Group 27", "Nightshade Panda", "Operation Seven Pointed Dagger" ], "source_name": "ETDA:Nightshade Panda", "tools": [ "3102 RAT", "9002 RAT", "Agent.dhwf", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "EvilGrab", "EvilGrab RAT", "Gen:Trojan.Heur.PT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "MoonWind", "MoonWind RAT", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Vidgrab", "Wmonder", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434703, "ts_updated_at": 1775791798, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/16701c394c4c97ff921252723d96a8b5022938b0.pdf", "text": "https://archive.orkl.eu/16701c394c4c97ff921252723d96a8b5022938b0.txt", "img": "https://archive.orkl.eu/16701c394c4c97ff921252723d96a8b5022938b0.jpg" } }