{ "id": "24ed86fb-2a2f-48cd-afdf-2bc9f65b5482", "created_at": "2026-04-06T00:16:16.711598Z", "updated_at": "2026-04-10T03:34:17.279024Z", "deleted_at": null, "sha1_hash": "2018129f0bbd8a423e5f94e5257e7880fcb20ad4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52326, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:13:53 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NewCT\r\n Tool: NewCT\r\nNames\r\nNewCT\r\nCT\r\nCategory Malware\r\nType Loader\r\nDescription\r\n(FireEye) The first-stage payload for RATs called “CT/NewCT” used by both the Moafee\r\nand DragonOK attack groups employs an evasive “CPU core check” technique. The\r\npayload attempts to detect the number of processor cores in the running environment, by\r\ncalling the 'GetSystemInfo' API, which returns a structure with system data, including\r\nnumber of cores. If only one core is detected, it quits. This probably is an attempt to detect\r\nvirtualized environments such as sandboxes, as well as other analysis environments used\r\nby reverse engineers, which often tend to be configured with a single core. If the CPU\r\ncore check detects more than one core, it implants the NewCT2 RAT in\r\n%temp%\\MSSoap.DLL(some variants will use BurnDCSrv.DLL and IntelAMTPP.DLL)\r\nand executes the written file.\r\nInformation\r\n\u003chttps://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:newct\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool NewCT\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b4292bd-b44f-4f30-82f9-2ee15bdac87e\r\nPage 1 of 2\n\nDragonOK 2015-Jan 2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b4292bd-b44f-4f30-82f9-2ee15bdac87e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b4292bd-b44f-4f30-82f9-2ee15bdac87e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b4292bd-b44f-4f30-82f9-2ee15bdac87e" ], "report_names": [ "listgroups.cgi?u=6b4292bd-b44f-4f30-82f9-2ee15bdac87e" ], "threat_actors": [ { "id": "d7226f71-df4a-405e-9252-f8c4108303ae", "created_at": "2022-10-25T15:50:23.325171Z", "updated_at": "2026-04-10T02:00:05.413071Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "Moafee" ], "source_name": "MITRE:Moafee", "tools": [ "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "c3c08eb0-cced-43ab-b126-fbe0c39a0698", "created_at": "2022-10-25T16:07:23.872885Z", "updated_at": "2026-04-10T02:00:04.767193Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "G0002" ], "source_name": "ETDA:Moafee", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "Mongall", "NFlog", "NewCT2", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434576, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2018129f0bbd8a423e5f94e5257e7880fcb20ad4.pdf", "text": "https://archive.orkl.eu/2018129f0bbd8a423e5f94e5257e7880fcb20ad4.txt", "img": "https://archive.orkl.eu/2018129f0bbd8a423e5f94e5257e7880fcb20ad4.jpg" } }