{
	"id": "af5a4bc9-fe49-432f-b502-03c9afed35c2",
	"created_at": "2026-04-06T00:14:23.060312Z",
	"updated_at": "2026-04-10T03:30:42.957051Z",
	"deleted_at": null,
	"sha1_hash": "23dc105aceabb65efe5f6af3cf779bfcd7227502",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50762,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:02:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool logon.dll\n Tool: logon.dll\nNames logon.dll\nCategory Malware\nType Backdoor\nDescription\n(Avast) Both DLLs, sqllauncher.dll and logon.dll, are primarily used as backdoors. These are\ninstalled as services by the aforementioned batch file. They both create a log file under the\npath: %COMMON_DOCUMENT%\\WZ9JuN00.tmp aggregating errors during the backdoor’s\nruntime. Each entry contains an error code, an error message, and a timestamp formatted as\n“[yyyy-mm-dd hh-mm-ss] %error code% %message%”.\nIf the infected device can’t connect to the C\u0026C server, the malware attempts to determine\nwhether the traffic is routed through a proxy. This information may be retrieved either from\n%WINDOWS%\\debug\\netlogon.cfg or from the TCP table. After successfully connecting to\nthe C\u0026C server, a secure communication channel (Schannel) is established and telemetry (OS\nversion, username) is sent to the C\u0026C server.\nInformation\nLast change to this tool card: 18 May 2020\nDownload this tool card in JSON format\nAll groups using tool logon.dll\nChanged Name Country Observed\nAPT groups\n Mikroceen 2017-Mar 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b5b72b0-de00-47a7-8426-0afee097cae3\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b5b72b0-de00-47a7-8426-0afee097cae3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b5b72b0-de00-47a7-8426-0afee097cae3\r\nPage 2 of 2\n\nAPT groups  Mikroceen 2017-Mar 2021 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b5b72b0-de00-47a7-8426-0afee097cae3"
	],
	"report_names": [
		"listgroups.cgi?u=9b5b72b0-de00-47a7-8426-0afee097cae3"
	],
	"threat_actors": [
		{
			"id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6",
			"created_at": "2022-10-25T16:07:23.869951Z",
			"updated_at": "2026-04-10T02:00:04.766204Z",
			"deleted_at": null,
			"main_name": "Mikroceen",
			"aliases": [
				"SixLittleMonkeys"
			],
			"source_name": "ETDA:Mikroceen",
			"tools": [
				"AngryRebel",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Microcin",
				"Mikroceen",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"PCRat",
				"logon.dll",
				"logsupport.dll",
				"pcaudit.bat",
				"sqllauncher.dll"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434463,
	"ts_updated_at": 1775791842,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/23dc105aceabb65efe5f6af3cf779bfcd7227502.pdf",
		"text": "https://archive.orkl.eu/23dc105aceabb65efe5f6af3cf779bfcd7227502.txt",
		"img": "https://archive.orkl.eu/23dc105aceabb65efe5f6af3cf779bfcd7227502.jpg"
	}
}