{
	"id": "f0669f67-0da8-4c8a-b238-930dabe8d445",
	"created_at": "2026-04-06T00:12:52.879008Z",
	"updated_at": "2026-04-10T03:25:21.271019Z",
	"deleted_at": null,
	"sha1_hash": "23b183ef56fce083c05052622765ac52afa95b49",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48121,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:23:37 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool hcdLoader\n Tool: hcdLoader\nNames hcdLoader\nCategory Malware\nType Backdoor\nDescription\n(Anomali) The Wekby group has exhibited a preference to use a tool named HcdLoader\nwhich often persists as a Windows Service on externally facing servers for remote\naccess.\nInformation\nMITRE ATT\u0026CK Last change to this tool card: 22 April 2020\nDownload this tool card in JSON format\nAll groups using tool hcdLoader\nChanged Name Country Observed\nAPT groups\n APT 18, Dynamite Panda, Wekby 2009-May 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a16b2002-e66b-4202-b032-44a0d43acb65\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a16b2002-e66b-4202-b032-44a0d43acb65\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a16b2002-e66b-4202-b032-44a0d43acb65"
	],
	"report_names": [
		"listgroups.cgi?u=a16b2002-e66b-4202-b032-44a0d43acb65"
	],
	"threat_actors": [
		{
			"id": "17b92337-ca5f-48bb-926b-c93b5e5678a4",
			"created_at": "2022-10-25T16:07:23.333316Z",
			"updated_at": "2026-04-10T02:00:04.546474Z",
			"deleted_at": null,
			"main_name": "APT 18",
			"aliases": [
				"APT 18",
				"Dynamite Panda",
				"G0026",
				"Red Wraith",
				"SILVERVIPER",
				"Satin Typhoon",
				"Scandium",
				"TG-0416",
				"Wekby"
			],
			"source_name": "ETDA:APT 18",
			"tools": [
				"AngryRebel",
				"AtNow",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HttpBrowser RAT",
				"HttpDump",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Pisloader",
				"QUICKBALL",
				"Roseam",
				"StickyFingers",
				"Token Control",
				"TokenControl",
				"hcdLoader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c8aefee7-fb57-409b-857e-23e986cb4a56",
			"created_at": "2023-01-06T13:46:38.285223Z",
			"updated_at": "2026-04-10T02:00:02.910756Z",
			"deleted_at": null,
			"main_name": "APT18",
			"aliases": [
				"SCANDIUM",
				"PLA Navy",
				"Wekby",
				"G0026",
				"Satin Typhoon",
				"DYNAMITE PANDA",
				"TG-0416"
			],
			"source_name": "MISPGALAXY:APT18",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2669aa86-663f-4e72-9362-9e61ff3599f4",
			"created_at": "2022-10-25T15:50:23.344796Z",
			"updated_at": "2026-04-10T02:00:05.38663Z",
			"deleted_at": null,
			"main_name": "APT18",
			"aliases": [
				"APT18",
				"TG-0416",
				"Dynamite Panda",
				"Threat Group-0416"
			],
			"source_name": "MITRE:APT18",
			"tools": [
				"hcdLoader",
				"gh0st RAT",
				"cmd",
				"Pisloader",
				"HTTPBrowser"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434372,
	"ts_updated_at": 1775791521,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/23b183ef56fce083c05052622765ac52afa95b49.pdf",
		"text": "https://archive.orkl.eu/23b183ef56fce083c05052622765ac52afa95b49.txt",
		"img": "https://archive.orkl.eu/23b183ef56fce083c05052622765ac52afa95b49.jpg"
	}
}