{ "id": "478c9974-1030-4d39-b8d9-fc4216bfbed6", "created_at": "2026-04-06T00:18:20.529657Z", "updated_at": "2026-04-10T03:36:18.533972Z", "deleted_at": null, "sha1_hash": "22f0a239a28e3da3d54e6d36c23767971ba2c409", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61372, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:46:22 UTC\n APT group: DragonOK\nNames\nDragonOK (FireEye)\nBronze Overbrook (SecureWorks)\nShallow Taurus (Palo Alto)\nG0017 (MITRE)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2015\nDescription\nDragonOK is a threat group that has targeted Japanese organizations with phishing\nemails. Due to overlapping TTPs, including similar custom tools, DragonOK is\nthought to have a direct or indirect relationship with the threat group Moafee. It is\nknown to use a variety of malware, including Sysget/HelloBridge, PlugX, Poison\nIvy, FormerFirstRat, NFlog, and NewCT.\nKaspersky also found relations between this group and Rancor.\nObserved\nSectors: High-Tech, Manufacturing.\nCountries: Cambodia, Japan, Russia, Taiwan, Tibet.\nTools used\nFormerFirstRAT, HTran, IsSpace, KHRAT, Mongall, NewCT, NFlog, PlugX, Poison\nIvy, Rambo, SysGet, TidePool.\nOperations performed\nJan 2015\nThis campaign involved five separate phishing attacks, each carrying a\ndifferent variant of Sysget malware, also known as HelloBridge. The\nmalware was included as an attachment intended to trick the user into\nopening the malware.\nAll five phishing campaigns targeted a Japanese manufacturing firm\nover the course of two months, but the final campaign also targeted a\nseparate Japanese high-tech organization.\n2016 In recent months, Unit 42 has observed a number of attacks that we\nattribute to this group. Multiple new variants of the previously\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6823d807-dfa8-42f3-84d5-986a7ef60c56\nPage 1 of 2\n\ndiscussed sysget malware family have been observed in use by\nDragonOK. Sysget malware was delivered both directly via phishing\nemails, as well as in Rich Text Format (RTF) documents exploiting the\nCVE-2015-1641 vulnerability that in turn leveraged a very unique\nshellcode.\nJan 2017\nCybersecurity expert Niklas Femerstrand in an email yesterday pointed\nout that while servers in several different countries appear to be the\norigin the attack, it has been linked to the DragonOK campaign.\n“The DragonOK campaign has previously [in 2014] targeted\norganizations in Taiwan, Japan, Tibet and Russia, and political\norganizations in Cambodia since at least January, 2017,” he wrote,\nadding that there are “strong indications” the campaign is “an operation\nfunded by China”.\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6823d807-dfa8-42f3-84d5-986a7ef60c56\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6823d807-dfa8-42f3-84d5-986a7ef60c56\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6823d807-dfa8-42f3-84d5-986a7ef60c56" ], "report_names": [ "showcard.cgi?u=6823d807-dfa8-42f3-84d5-986a7ef60c56" ], "threat_actors": [ { "id": "d7226f71-df4a-405e-9252-f8c4108303ae", "created_at": "2022-10-25T15:50:23.325171Z", "updated_at": "2026-04-10T02:00:05.413071Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "Moafee" ], "source_name": "MITRE:Moafee", "tools": [ "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "c3c08eb0-cced-43ab-b126-fbe0c39a0698", "created_at": "2022-10-25T16:07:23.872885Z", "updated_at": "2026-04-10T02:00:04.767193Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "G0002" ], "source_name": "ETDA:Moafee", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "Mongall", "NFlog", "NewCT2", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434700, "ts_updated_at": 1775792178, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22f0a239a28e3da3d54e6d36c23767971ba2c409.pdf", "text": "https://archive.orkl.eu/22f0a239a28e3da3d54e6d36c23767971ba2c409.txt", "img": "https://archive.orkl.eu/22f0a239a28e3da3d54e6d36c23767971ba2c409.jpg" } }