{ "id": "392db43d-5260-4e96-a8dc-84e25c2c3a7f", "created_at": "2026-04-06T00:08:55.591298Z", "updated_at": "2026-04-10T03:38:09.683541Z", "deleted_at": null, "sha1_hash": "26522edd201224334d1059d073e92b7b8c139131", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50690, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:01:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ShadyRAT\n Tool: ShadyRAT\nNames ShadyRAT\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Trend Micro) This notorious data-stealing spying Trojan also used blogging platforms as a\nC\u0026C channel, except that the commands are encrypted and encoded into HTML comments,\ninterspersed with what appears to be legitimate content. This makes the traffic look like it\ncomes from a real user visiting a blog with a regular web browser. In fact, the page is not being\ndisplayed at all on the infected system; the Trojan just decodes the information within the\ncomments and is able to understand the commands the attacker is sending. On a cursory look\nto the actual blog, a visitor would never spot any of this, since the comments are never\ndisplayed on the browser either.\nThis is a perfect vehicle for these attackers, who are trying to stay undetected for as long as\npossible. ShadyRAT was the first major targeted attack that was spotted in the wild, and this\ntechnique was possibly a contributing factor. The network traffic looks perfectly tame to any\ntraffic observer or security device.\nOn top of this, ShadyRAT was also able to decrypt and decode C\u0026C commands hidden within\nJPG files using the LSB technique as seen in the first entry of this series. A shady one indeed.\nInformation\nLast change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool ShadyRAT\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=851d2801-ccbb-48b1-869d-2ba82ad45c9d\nPage 1 of 2\n\nAPT groups\r\n  Comment Crew, APT 1 2006-May 2018\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=851d2801-ccbb-48b1-869d-2ba82ad45c9d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=851d2801-ccbb-48b1-869d-2ba82ad45c9d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=851d2801-ccbb-48b1-869d-2ba82ad45c9d" ], "report_names": [ "listgroups.cgi?u=851d2801-ccbb-48b1-869d-2ba82ad45c9d" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434135, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26522edd201224334d1059d073e92b7b8c139131.pdf", "text": "https://archive.orkl.eu/26522edd201224334d1059d073e92b7b8c139131.txt", "img": "https://archive.orkl.eu/26522edd201224334d1059d073e92b7b8c139131.jpg" } }