{
	"id": "708576da-dca8-439c-aabe-c50780d117fe",
	"created_at": "2026-04-06T00:14:50.084822Z",
	"updated_at": "2026-04-10T13:11:53.468387Z",
	"deleted_at": null,
	"sha1_hash": "1c90060d4c92539ce55222b0b53dbd5a8d32b2d9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52671,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:23:50 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MgBot\n Tool: MgBot\nNames\nMgBot\nBLame\nMgmbot\nPOCOSTICK\nCategory Malware\nType Backdoor\nDescription\n(Malwarebytes) MgBot uses several anti-analysis and anti-virtualization techniques. The\ncode is self modifying which means it alters its code sections during runtime. This\nmakes static analysis of the sample harder.\nMgBot tries to avoid running in known virtualized environment such as VmWare,\nSandboxie and VirtualBox. To identify if it’s running in one of these environments, it\nlooks for the following DLL files: vmhgfs.dll, sbiedll.dll and vboxogl.dll and if it finds\nany of these DLLs, it goes to an infinite loop without doing any malicious activity.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 28 December 2024\nDownload this tool card in JSON format\nAll groups using tool MgBot\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff3865c1-fb45-4197-89a2-2cce3bed17bb\nPage 1 of 2\n\nAPT groups\r\n  Bronze Highland 2012-Jul 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff3865c1-fb45-4197-89a2-2cce3bed17bb\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff3865c1-fb45-4197-89a2-2cce3bed17bb\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff3865c1-fb45-4197-89a2-2cce3bed17bb"
	],
	"report_names": [
		"listgroups.cgi?u=ff3865c1-fb45-4197-89a2-2cce3bed17bb"
	],
	"threat_actors": [
		{
			"id": "f35997d9-ca1e-453f-b968-0e675cc16d97",
			"created_at": "2023-01-06T13:46:39.490819Z",
			"updated_at": "2026-04-10T02:00:03.345364Z",
			"deleted_at": null,
			"main_name": "Evasive Panda",
			"aliases": [
				"BRONZE HIGHLAND"
			],
			"source_name": "MISPGALAXY:Evasive Panda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a",
			"created_at": "2024-11-01T02:00:52.763555Z",
			"updated_at": "2026-04-10T02:00:05.263997Z",
			"deleted_at": null,
			"main_name": "Daggerfly",
			"aliases": [
				"Daggerfly",
				"Evasive Panda",
				"BRONZE HIGHLAND"
			],
			"source_name": "MITRE:Daggerfly",
			"tools": [
				"PlugX",
				"MgBot",
				"BITSAdmin",
				"MacMa",
				"Nightdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7",
			"created_at": "2023-01-06T13:46:39.413725Z",
			"updated_at": "2026-04-10T02:00:03.31882Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Evasive Panda",
				"Daggerfly"
			],
			"source_name": "MISPGALAXY:BRONZE HIGHLAND",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7",
			"created_at": "2022-10-25T16:07:23.422755Z",
			"updated_at": "2026-04-10T02:00:04.592069Z",
			"deleted_at": null,
			"main_name": "Bronze Highland",
			"aliases": [
				"Daggerfly",
				"Digging Taurus",
				"Evasive Panda",
				"Storm Cloud",
				"StormBamboo",
				"TAG-102",
				"TAG-112"
			],
			"source_name": "ETDA:Bronze Highland",
			"tools": [
				"Agentemis",
				"CDDS",
				"CloudScout",
				"Cobalt Strike",
				"CobaltStrike",
				"DazzleSpy",
				"KsRemote",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MacMa",
				"Macma",
				"MgBot",
				"Mgmbot",
				"NetMM",
				"Nightdoor",
				"OSX.CDDS",
				"POCOSTICK",
				"RELOADEXT",
				"Suzafk",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f7d2815-7504-4818-bf8d-bba18161b111",
			"created_at": "2025-08-07T02:03:24.613342Z",
			"updated_at": "2026-04-10T02:00:03.732192Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Daggerfly",
				"Daggerfly ",
				"Evasive Panda ",
				"Evasive Panda ",
				"Storm Bamboo "
			],
			"source_name": "Secureworks:BRONZE HIGHLAND",
			"tools": [
				"Cobalt Strike",
				"KsRemote",
				"Macma",
				"MgBot",
				"Nightdoor",
				"PlugX"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434490,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1c90060d4c92539ce55222b0b53dbd5a8d32b2d9.pdf",
		"text": "https://archive.orkl.eu/1c90060d4c92539ce55222b0b53dbd5a8d32b2d9.txt",
		"img": "https://archive.orkl.eu/1c90060d4c92539ce55222b0b53dbd5a8d32b2d9.jpg"
	}
}