{ "id": "ed536447-1cd4-4ed4-abfd-b5f4dcf482a5", "created_at": "2026-04-06T00:14:13.667346Z", "updated_at": "2026-04-10T03:37:01.09631Z", "deleted_at": null, "sha1_hash": "292425c65d3e7fdbb08a45c0045f18c69bc2b393", "title": "Gh0stCringe RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47072, "plain_text": "Gh0stCringe RAT - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 18:51:14 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gh0stCringe RAT\n Tool: Gh0stCringe RAT\nNames Gh0stCringe RAT\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) Another piece of malware that the attackers tried to use is Gh0stCringe, which is\nbased on the source code of Gh0st RAT. The attackers tried to execute this tool twice, with a\ngap of over 10 days between executions.\nInformation Last change to this tool card: 12 October 2023\nDownload this tool card in JSON format\nAll groups using tool Gh0stCringe RAT\nChanged Name Country Observed\nAPT groups\n Gallium 2018-Jun 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e5b780d-dbb7-4816-bece-899a18da4924\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e5b780d-dbb7-4816-bece-899a18da4924\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e5b780d-dbb7-4816-bece-899a18da4924" ], "report_names": [ "listgroups.cgi?u=7e5b780d-dbb7-4816-bece-899a18da4924" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/292425c65d3e7fdbb08a45c0045f18c69bc2b393.pdf", "text": "https://archive.orkl.eu/292425c65d3e7fdbb08a45c0045f18c69bc2b393.txt", "img": "https://archive.orkl.eu/292425c65d3e7fdbb08a45c0045f18c69bc2b393.jpg" } }