{ "id": "c61dee03-aa7e-4147-9dc8-fa905db0d4d6", "created_at": "2026-04-06T00:12:42.393133Z", "updated_at": "2026-04-10T13:11:54.096354Z", "deleted_at": null, "sha1_hash": "34688e0f7203f870dc42090dcf514b356fb24a69", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49310, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:22:25 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Korkerds\r\n Tool: Korkerds\r\nNames Korkerds\r\nCategory Malware\r\nType Miner\r\nDescription\r\n(Trend Micro) We recently encountered a cryptocurrency-mining malware (detected by\r\nTrend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems. It is notable\r\nfor being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides\r\nthe malicious process’ presence from monitoring tools. This makes it difficult to detect, as\r\ninfected systems will only indicate performance issues. The malware is also capable of\r\nupdating and upgrading itself and its configuration file.\r\nInformation\r\n\u003chttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:KORKERDS\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Korkerds\r\nChanged Name Country Observed\r\nOther groups\r\n  Pacha Group 2018-May 2019  \r\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=550a5977-5c87-4bfd-b1fc-90e1a4fbf55e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=550a5977-5c87-4bfd-b1fc-90e1a4fbf55e\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=550a5977-5c87-4bfd-b1fc-90e1a4fbf55e" ], "report_names": [ "listgroups.cgi?u=550a5977-5c87-4bfd-b1fc-90e1a4fbf55e" ], "threat_actors": [ { "id": "18bcbaa6-8e7b-43c4-9db7-8b0b315ee5a3", "created_at": "2023-01-06T13:46:39.024086Z", "updated_at": "2026-04-10T02:00:03.184974Z", "deleted_at": null, "main_name": "Pacha Group", "aliases": [], "source_name": "MISPGALAXY:Pacha Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "484c5fed-029e-4504-b75a-bbdbc9460595", "created_at": "2022-10-25T16:07:24.529893Z", "updated_at": "2026-04-10T02:00:05.02425Z", "deleted_at": null, "main_name": "Pacha Group", "aliases": [], "source_name": "ETDA:Pacha Group", "tools": [ "Antd", "DDG", "GreedyAntd", "Korkerds", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434362, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/34688e0f7203f870dc42090dcf514b356fb24a69.pdf", "text": "https://archive.orkl.eu/34688e0f7203f870dc42090dcf514b356fb24a69.txt", "img": "https://archive.orkl.eu/34688e0f7203f870dc42090dcf514b356fb24a69.jpg" } }