{ "id": "7c65c694-064d-433a-aeda-9284075b95af", "created_at": "2026-04-06T00:11:43.415556Z", "updated_at": "2026-04-10T13:12:43.61559Z", "deleted_at": null, "sha1_hash": "246bc148acaff22fdbfffb6961f9116c64a0964e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52787, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:43:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NetEagle\n Tool: NetEagle\nNames\nNetEagle\nScoutEagle\nscout\nNeteagle_Scout\nnorton\nCategory Malware\nType Backdoor\nDescription\n(FireEye) While the NETEAGLE backdoor does not have as venerable a history\n(identified samples were compiled as early as 2008 and as recently as 2013), it shows a\nsimilar pattern of long-term refinement and modification, including the development of\ntwo main variants (which we call the “Scout” and “Norton” variants). Just as with\nBackspace, while the details of implementation and specific features across\nNETEAGLE samples may vary, the core functionality remains the same except for the\naddition of features or enhancements.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool NetEagle\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b7818f5e-fcb8-46af-b566-5245edacc0b2\nPage 1 of 2\n\nAPT groups\r\n  APT 30, Override Panda 2005  \r\n  Naikon, Lotus Panda 2010-Apr 2022  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b7818f5e-fcb8-46af-b566-5245edacc0b2\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b7818f5e-fcb8-46af-b566-5245edacc0b2\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b7818f5e-fcb8-46af-b566-5245edacc0b2" ], "report_names": [ "listgroups.cgi?u=b7818f5e-fcb8-46af-b566-5245edacc0b2" ], "threat_actors": [ { "id": "360f51f5-8a80-41d6-92c4-9aa042cd2732", "created_at": "2022-10-25T16:07:23.34569Z", "updated_at": "2026-04-10T02:00:04.55147Z", "deleted_at": null, "main_name": "APT 30", "aliases": [ "APT 30", "Bronze Geneva", "Bronze Sterling", "CTG-5326", "G0013", "Override Panda", "RADIUM", "Raspberry Typhoon" ], "source_name": "ETDA:APT 30", "tools": [ "BackBend", "Creamsicle", "Flashflood", "Gemcutter", "Lecna", "NetEagle", "Neteagle_Scout", "Orangeade", "ScoutEagle", "Shipshape", "ZRLnk", "norton" ], "source_id": "ETDA", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434303, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/246bc148acaff22fdbfffb6961f9116c64a0964e.pdf", "text": "https://archive.orkl.eu/246bc148acaff22fdbfffb6961f9116c64a0964e.txt", "img": "https://archive.orkl.eu/246bc148acaff22fdbfffb6961f9116c64a0964e.jpg" } }