{
	"id": "f0f338b5-46b6-43a0-a10d-822a3b7e6525",
	"created_at": "2026-04-06T00:11:10.697334Z",
	"updated_at": "2026-04-10T03:34:17.24917Z",
	"deleted_at": null,
	"sha1_hash": "275139600f1e03508868004d67c8392ec1dd1cbc",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51119,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:15:48 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Rambo\r\n Tool: Rambo\r\nNames\r\nRambo\r\nbrebsd\r\nCategory Malware\r\nType Reconnaissance, Backdoor\r\nDescription\r\n(securitykitten) Rambo is a unique backdoor with features that are the result of some odd design\r\ndecisions. In the initial dropper the configuration containing offsets and filenames are encoded with\r\nTEA, however the binaries are not encoded at all. It uses AES to encode the host information that is sent\r\nout over the network, however the C2 is hidden with a single byte XOR. While they may not make\r\nmuch sense to a reverse engineer, it gives some idea to the information that the author doesn’t want to\r\nbe easily recovered. By writing commands to temporary files and trying to communicate between\r\nmultiple processes, the authors turn a simple stage 1 implant into something that is confusing and more\r\ndifficult to study.\r\nInformation\r\n\u003chttps://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/000/062/original/RamboDIMVA2016.pdf\u003e\r\n\u003chttps://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.rambo\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Rambo\r\nChanged Name Country Observed\r\nAPT groups\r\n  DragonOK 2015-Jan 2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3aafd694-df10-45cb-85dd-25e4cee2d92b\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3aafd694-df10-45cb-85dd-25e4cee2d92b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3aafd694-df10-45cb-85dd-25e4cee2d92b\r\nPage 2 of 2\n\nAPT groups  DragonOK 2015-Jan 2017 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3aafd694-df10-45cb-85dd-25e4cee2d92b"
	],
	"report_names": [
		"listgroups.cgi?u=3aafd694-df10-45cb-85dd-25e4cee2d92b"
	],
	"threat_actors": [
		{
			"id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0",
			"created_at": "2023-01-06T13:46:38.469688Z",
			"updated_at": "2026-04-10T02:00:02.987949Z",
			"deleted_at": null,
			"main_name": "DragonOK",
			"aliases": [
				"Moafee",
				"BRONZE OVERBROOK",
				"G0017",
				"G0002",
				"Shallow Taurus"
			],
			"source_name": "MISPGALAXY:DragonOK",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28",
			"created_at": "2022-10-25T15:50:23.78829Z",
			"updated_at": "2026-04-10T02:00:05.415039Z",
			"deleted_at": null,
			"main_name": "DragonOK",
			"aliases": [
				"DragonOK"
			],
			"source_name": "MITRE:DragonOK",
			"tools": [
				"PoisonIvy",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "593dd07d-853c-46cd-8117-e24061034bbf",
			"created_at": "2025-08-07T02:03:24.648074Z",
			"updated_at": "2026-04-10T02:00:03.625859Z",
			"deleted_at": null,
			"main_name": "BRONZE OVERBROOK",
			"aliases": [
				"Danti ",
				"DragonOK ",
				"Samurai Panda ",
				"Shallow Taurus ",
				"Temp.DragonOK "
			],
			"source_name": "Secureworks:BRONZE OVERBROOK",
			"tools": [
				"Aveo",
				"DDKONG",
				"Godzilla Webshell",
				"HelloBridge",
				"IsSpace",
				"NFLog Trojan",
				"PLAINTEE",
				"PlugX",
				"Rambo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "340d1673-0678-4e1f-8b75-30da2f65cc80",
			"created_at": "2022-10-25T16:07:23.552036Z",
			"updated_at": "2026-04-10T02:00:04.653109Z",
			"deleted_at": null,
			"main_name": "DragonOK",
			"aliases": [
				"Bronze Overbrook",
				"G0017",
				"Shallow Taurus"
			],
			"source_name": "ETDA:DragonOK",
			"tools": [
				"Agent.dhwf",
				"CT",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Gen:Trojan.Heur.PT",
				"HTran",
				"HUC Packet Transmit Tool",
				"HelloBridge",
				"IsSpace",
				"KHRAT",
				"Kaba",
				"Korplug",
				"Mongall",
				"NFlog",
				"NewCT",
				"NfLog RAT",
				"PlugX",
				"Poison Ivy",
				"Rambo",
				"RedDelta",
				"SPIVY",
				"Sogu",
				"SysGet",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"TidePool",
				"Xamtrav",
				"brebsd",
				"ffrat",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434270,
	"ts_updated_at": 1775792057,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/275139600f1e03508868004d67c8392ec1dd1cbc.pdf",
		"text": "https://archive.orkl.eu/275139600f1e03508868004d67c8392ec1dd1cbc.txt",
		"img": "https://archive.orkl.eu/275139600f1e03508868004d67c8392ec1dd1cbc.jpg"
	}
}