{ "id": "5cf1dd1e-773d-49d5-8df8-5588e57d905e", "created_at": "2026-04-06T00:11:20.244211Z", "updated_at": "2026-04-10T03:36:13.916437Z", "deleted_at": null, "sha1_hash": "1a5ff093848231644335589c838b459baf959597", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54584, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:54:49 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Elirks\n Tool: Elirks\nNames Elirks\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Palo Alto) Elirks, less widely known than PlugX, is a basic backdoor Trojan, first\ndiscovered in 2010, that is primarily used to steal information from compromised systems.\nWe mostly observe attacks using Elirks occurring in East Asia. One of the unique features\nof the malware is that it retrieves its C2 address by accessing a pre-determined microblog\nservice or SNS. Attackers create accounts on those services and post encoded IP addresses\nor the domain names of real C2 servers in advance of distributing the backdoor. We have\nseen multiple Elirks variants using Japanese blog services for the last couple of years.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool Elirks\nChanged Name Country Observed\nAPT groups\n Blackgear 2018-Jul 2018\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=51e51b03-0133-427f-8465-bceeefc52ee9\nPage 1 of 2\n\nBronze Butler, Tick, RedBaldNight, Stalker Panda 2006-Apr 2021\r\n  Scarlet Mimic 2015-Aug 2022  \r\n3 groups listed (3 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=51e51b03-0133-427f-8465-bceeefc52ee9\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=51e51b03-0133-427f-8465-bceeefc52ee9\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=51e51b03-0133-427f-8465-bceeefc52ee9" ], "report_names": [ "listgroups.cgi?u=51e51b03-0133-427f-8465-bceeefc52ee9" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ad59becc-29c2-4b7a-a958-d7f242d222ea", "created_at": "2023-01-06T13:46:38.956494Z", "updated_at": "2026-04-10T02:00:03.161471Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "BLACKGEAR", "Topgear", "Comnie" ], "source_name": "MISPGALAXY:Blackgear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null }, { "id": "6750d709-9153-4e90-baa3-04883a9b762b", "created_at": "2022-10-25T16:07:23.397596Z", "updated_at": "2026-04-10T02:00:04.580074Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "Topgear" ], "source_name": "ETDA:Blackgear", "tools": [ "Comnie", "Elirks", "Protux" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434280, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a5ff093848231644335589c838b459baf959597.pdf", "text": "https://archive.orkl.eu/1a5ff093848231644335589c838b459baf959597.txt", "img": "https://archive.orkl.eu/1a5ff093848231644335589c838b459baf959597.jpg" } }