{
	"id": "5ea455d3-d0a8-486d-b320-826b40fd9b5e",
	"created_at": "2026-04-06T01:31:09.135365Z",
	"updated_at": "2026-04-10T13:12:16.32544Z",
	"deleted_at": null,
	"sha1_hash": "274d734bcd9a3fee5c72809392c54bab6729937e",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31004,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy dekaRituraj\r\nArchived: 2026-04-06 01:04:44 UTC\r\nFileHash-SHA1: 1 | FileHash-SHA256: 10 | Domain: 1 | Hostname: 2\r\nIn late June 2018, Unit 42 revealed a previously unknown cyber espionage group we dubbed Rancor, which\r\nconducted targeted attacks in Southeast Asia throughout 2017 and 2018. In recent attacks, the group has\r\npersistently targeted at least one government organization in Cambodia from December 2018 through January\r\n2019. While researching these attacks, we discovered an undocumented, custom malware family – which we’ve\r\nnamed Dudell. In addition, we discovered the group using Derusbi, which is a malware family believed to be\r\nunique to a small subset of Chinese cyber espionage groups.\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:DUDELL\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DUDELL\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:DUDELL"
	],
	"report_names": [
		"pulses?q=tag:DUDELL"
	],
	"threat_actors": [
		{
			"id": "e8aee970-e31e-489f-81c2-c23cd52e255c",
			"created_at": "2023-01-06T13:46:38.763687Z",
			"updated_at": "2026-04-10T02:00:03.092181Z",
			"deleted_at": null,
			"main_name": "RANCOR",
			"aliases": [
				"Rancor Group",
				"G0075",
				"Rancor Taurus",
				"Rancor group",
				"Rancor"
			],
			"source_name": "MISPGALAXY:RANCOR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d11e45c-4e31-4997-88f5-295b2564cfc6",
			"created_at": "2022-10-25T15:50:23.794721Z",
			"updated_at": "2026-04-10T02:00:05.358892Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"Rancor"
			],
			"source_name": "MITRE:Rancor",
			"tools": [
				"DDKONG",
				"PLAINTEE",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "416f8374-2b06-47e4-ba91-929b3f85d9bf",
			"created_at": "2022-10-25T16:07:24.093951Z",
			"updated_at": "2026-04-10T02:00:04.864244Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"G0075",
				"Rancor Group",
				"Rancor Taurus"
			],
			"source_name": "ETDA:Rancor",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DDKONG",
				"Derusbi",
				"Dudell",
				"ExDudell",
				"KHRAT",
				"PLAINTEE",
				"RoyalRoad",
				"certutil",
				"certutil.exe",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439069,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/274d734bcd9a3fee5c72809392c54bab6729937e.pdf",
		"text": "https://archive.orkl.eu/274d734bcd9a3fee5c72809392c54bab6729937e.txt",
		"img": "https://archive.orkl.eu/274d734bcd9a3fee5c72809392c54bab6729937e.jpg"
	}
}