{ "id": "47839439-a78b-4944-bb64-dbfaa7508e6f", "created_at": "2026-04-06T00:13:34.030419Z", "updated_at": "2026-04-10T03:37:19.255297Z", "deleted_at": null, "sha1_hash": "337bcce07a1a9a4c4e70ffd8d116c0204db043ca", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47953, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:35:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DropPhone\n Tool: DropPhone\nNames DropPhone\nCategory Malware\nType Reconnaissance, Info stealer\nDescription\n(Kaspersky) DropPhone launches sdclt.exe, then collects environment information from the\nvictim machine and sends it to Dropbox. The last thing this implant does is delete data.dat\nwithout ever accessing its contents. We speculate that they are consumed by sdclt.exe, and that\nthis is another way to lock together the execution of two components, frustrating the efforts of\nthe reverse-engineers who are missing pieces of the puzzle – as is our case here.\nInformation Last change to this tool card: 15 May 2021\nDownload this tool card in JSON format\nAll groups using tool DropPhone\nChanged Name Country Observed\nAPT groups\n Goblin Panda, Cycldek, Conimes 2013-Jun 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bf1718cb-52e1-4429-abc9-1c49a73c8f57\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bf1718cb-52e1-4429-abc9-1c49a73c8f57\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bf1718cb-52e1-4429-abc9-1c49a73c8f57" ], "report_names": [ "listgroups.cgi?u=bf1718cb-52e1-4429-abc9-1c49a73c8f57" ], "threat_actors": [ { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434414, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/337bcce07a1a9a4c4e70ffd8d116c0204db043ca.pdf", "text": "https://archive.orkl.eu/337bcce07a1a9a4c4e70ffd8d116c0204db043ca.txt", "img": "https://archive.orkl.eu/337bcce07a1a9a4c4e70ffd8d116c0204db043ca.jpg" } }