{
	"id": "9c8a13df-96af-4df3-b1b2-e9cc1d04c605",
	"created_at": "2026-04-06T00:20:00.705216Z",
	"updated_at": "2026-04-10T03:35:10.796624Z",
	"deleted_at": null,
	"sha1_hash": "347fa70d910130c69797e333470624bdd2897ce3",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49003,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:15:58 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool oRAT\r\n Tool: oRAT\r\nNames oRAT\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Tunneling, Exfiltration\r\nDescription\r\n(Trend Micro) Another malware family that we obtained both Windows and macOS samples\r\nof during our investigation was oRAT. Interestingly, this was the first time that we had\r\nanalyzed samples of this malware family written in the Go language.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/osx.orat\u003e\r\nLast change to this tool card: 27 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool oRAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Earth Berberoka 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b999fd13-e5d2-4056-9676-907b6e1be7d0\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b999fd13-e5d2-4056-9676-907b6e1be7d0\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b999fd13-e5d2-4056-9676-907b6e1be7d0"
	],
	"report_names": [
		"listgroups.cgi?u=b999fd13-e5d2-4056-9676-907b6e1be7d0"
	],
	"threat_actors": [
		{
			"id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01",
			"created_at": "2022-10-25T16:07:23.562676Z",
			"updated_at": "2026-04-10T02:00:04.662064Z",
			"deleted_at": null,
			"main_name": "Earth Berberoka",
			"aliases": [
				"GamblingPuppet"
			],
			"source_name": "ETDA:Earth Berberoka",
			"tools": [
				"Agent.dhwf",
				"AngryRebel",
				"AsyncRAT",
				"CinaRAT",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Kaba",
				"Korplug",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"PuppetLoader",
				"Quasar RAT",
				"QuasarRAT",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav",
				"Yggdrasil",
				"oRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2664d6f5-f918-4978-87f8-f6afad7402c6",
			"created_at": "2023-01-06T13:46:39.393669Z",
			"updated_at": "2026-04-10T02:00:03.312065Z",
			"deleted_at": null,
			"main_name": "Earth Berberoka",
			"aliases": [
				"GamblingPuppet"
			],
			"source_name": "MISPGALAXY:Earth Berberoka",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775792110,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/347fa70d910130c69797e333470624bdd2897ce3.pdf",
		"text": "https://archive.orkl.eu/347fa70d910130c69797e333470624bdd2897ce3.txt",
		"img": "https://archive.orkl.eu/347fa70d910130c69797e333470624bdd2897ce3.jpg"
	}
}