{ "id": "e4307e29-44b0-4c74-a640-2b682f9e0a1e", "created_at": "2026-04-06T00:08:59.130126Z", "updated_at": "2026-04-10T03:31:13.462428Z", "deleted_at": null, "sha1_hash": "24a4f302e6e8a4d7ecea9d3b91a72a246b606a91", "title": "Backdoor Batel - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44366, "plain_text": "Backdoor Batel - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:17:45 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Backdoor Batel\r\n Tool: Backdoor Batel\r\nNames\r\nBackdoor Batel\r\nBatel\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\nOnce the Odinaff Trojan has performed the initial compromise of the infected machine, a\r\nsecond piece of malware known as Batel is installed. This second malware infection is capable\r\nof running payloads solely in the memory, effectively enabling it to stealthily run in the\r\nbackground.\r\nInformation \u003chttps://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.batel\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Backdoor Batel\r\nChanged Name Country Observed\r\nAPT groups\r\n  Carbanak, Anunak 2013-Apr 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ed1ca12d-ad0f-4cdf-86b9-0d1df7b08774\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ed1ca12d-ad0f-4cdf-86b9-0d1df7b08774\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ed1ca12d-ad0f-4cdf-86b9-0d1df7b08774" ], "report_names": [ "listgroups.cgi?u=ed1ca12d-ad0f-4cdf-86b9-0d1df7b08774" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434139, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/24a4f302e6e8a4d7ecea9d3b91a72a246b606a91.pdf", "text": "https://archive.orkl.eu/24a4f302e6e8a4d7ecea9d3b91a72a246b606a91.txt", "img": "https://archive.orkl.eu/24a4f302e6e8a4d7ecea9d3b91a72a246b606a91.jpg" } }