{
	"id": "dc86125a-2899-4a3e-8296-99ef538d92a4",
	"created_at": "2026-04-06T00:19:04.892416Z",
	"updated_at": "2026-04-10T03:33:46.022569Z",
	"deleted_at": null,
	"sha1_hash": "2aa9b9750c509d86dc2a6454df924ec2004c6fa8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51495,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:48:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool P8RAT\n Tool: P8RAT\nNames\nP8RAT\nGreetCake\nCategory Malware\nType Backdoor, Loader\nDescription\n(Kaspersky) One of Ecipekac’s payloads is a new fileless malware which we call\nP8RAT (a.k.a GreetCake). P8RAT has the following unique data structure used to store\nthe C2 communication configuration. We collected several samples of P8RAT during\nour research and found no C2 address of P8RAT that was used more than once. In total\nwe found 10 backdoor commands in all the collected P8RAT samples. The most recent\nP8RAT sample, with the compilation timestamp of December 14, 2020, shows a new\nbackdoor command with the code number of “309” implemented. The command “304”,\nwhich was present in earlier samples and carries similar functionality, was removed.\nInformation\nMITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool P8RAT\nChanged Name Country Observed\nAPT groups\n Stone Panda, APT 10, menuPass 2006-Mar 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b5cb59ac-bfd5-400f-91ba-57472c375fd3\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b5cb59ac-bfd5-400f-91ba-57472c375fd3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b5cb59ac-bfd5-400f-91ba-57472c375fd3\r\nPage 2 of 2\n\nAPT groups Stone Panda, APT 10, menuPass 2006-Mar 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b5cb59ac-bfd5-400f-91ba-57472c375fd3"
	],
	"report_names": [
		"listgroups.cgi?u=b5cb59ac-bfd5-400f-91ba-57472c375fd3"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "04b07437-41bb-4126-bcbb-def16f19d7c6",
			"created_at": "2022-10-25T16:07:24.232628Z",
			"updated_at": "2026-04-10T02:00:04.906097Z",
			"deleted_at": null,
			"main_name": "Stone Panda",
			"aliases": [
				"APT 10",
				"ATK 41",
				"Bronze Riverside",
				"CTG-5938",
				"CVNX",
				"Cuckoo Spear",
				"Earth Kasha",
				"G0045",
				"G0093",
				"Granite Taurus",
				"Happyyongzi",
				"Hogfish",
				"ITG01",
				"Operation A41APT",
				"Operation Cache Panda",
				"Operation ChessMaster",
				"Operation Cloud Hopper",
				"Operation Cuckoo Spear",
				"Operation New Battle",
				"Operation Soft Cell",
				"Operation TradeSecret",
				"Potassium",
				"Purple Typhoon",
				"Red Apollo",
				"Stone Panda",
				"TA429",
				"menuPass",
				"menuPass Team"
			],
			"source_name": "ETDA:Stone Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Anel",
				"AngryRebel",
				"BKDR_EVILOGE",
				"BKDR_HGDER",
				"BKDR_NVICM",
				"BUGJUICE",
				"CHINACHOPPER",
				"ChChes",
				"China Chopper",
				"Chymine",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"DARKTOWN",
				"DESLoader",
				"DILLJUICE",
				"DILLWEED",
				"Darkmoon",
				"DelfsCake",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Ecipekac",
				"Emdivi",
				"EvilGrab",
				"EvilGrab RAT",
				"FYAnti",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"GreetCake",
				"HAYMAKER",
				"HEAVYHAND",
				"HEAVYPOT",
				"HTran",
				"HUC Packet Transmit Tool",
				"Ham Backdoor",
				"HiddenFace",
				"Impacket",
				"Invoke the Hash",
				"KABOB",
				"Kaba",
				"Korplug",
				"LODEINFO",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MiS-Type",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"NBTscan",
				"NOOPDOOR",
				"Newsripper",
				"P8RAT",
				"PCRat",
				"PlugX",
				"Poison Ivy",
				"Poldat",
				"PowerSploit",
				"PowerView",
				"PsExec",
				"PsList",
				"Quarks PwDump",
				"Quasar RAT",
				"QuasarRAT",
				"RedDelta",
				"RedLeaves",
				"Rubeus",
				"SNUGRIDE",
				"SPIVY",
				"SharpSploit",
				"SigLoader",
				"SinoChopper",
				"SodaMaster",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"UpperCut",
				"Vidgrab",
				"WinRAR",
				"WmiExec",
				"Wmonder",
				"Xamtrav",
				"Yggdrasil",
				"Zlib",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"dfls",
				"lena",
				"nbtscan",
				"pivy",
				"poisonivy",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775792026,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2aa9b9750c509d86dc2a6454df924ec2004c6fa8.pdf",
		"text": "https://archive.orkl.eu/2aa9b9750c509d86dc2a6454df924ec2004c6fa8.txt",
		"img": "https://archive.orkl.eu/2aa9b9750c509d86dc2a6454df924ec2004c6fa8.jpg"
	}
}