{
	"id": "3e32db39-859c-4730-9728-9f7c9353a40b",
	"created_at": "2026-04-06T00:11:13.669463Z",
	"updated_at": "2026-04-10T13:12:53.292066Z",
	"deleted_at": null,
	"sha1_hash": "3517b02468db2097e77a057a8fa43d360a98eccd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55935,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:01:35 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Bisonal\n Tool: Bisonal\nNames\nBisonal\nKorlia\nCategory Malware\nType Backdoor, Info stealer, Exfiltration, Downloader\nDescription\n(Palo Alto) In early May, Unit 42 discovered an attack campaign against at least one\ndefense company in Russia and one unidentified organization in South Korea delivering\na variant of Bisonal malware. While not previously publicly documented, the variant has\nbeen in the wild since at least 2014. There are three primary differences between it and\nolder Bisonal malware including a different cipher and encryption for C2\ncommunication, and a large rewrite of the code for both network communication and\nmaintaining persistence. To date, we have only collected 14 samples of this variant,\nindicating it may be sparingly used. The adversary behind these attacks lured the targets\ninto launching the Microsoft Windows executable malware by masquerading it as a PDF\nfile (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s\ncontents.\nAttacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and\nFireEye revealed attacks using Bisonal against Japanese organizations. In October 2017,\nAhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against\nSouth Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and\nDexbia. We believe it is likely these tools are being used by one group of attackers.\nInformation\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c23db213-667e-48ca-ae9f-c19c503762ef\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 14 August 2020\nDownload this tool card in JSON format\nAll groups using tool Bisonal\nChanged Name Country Observed\nAPT groups\n Tonto Team, HartBeat, Karma Panda 2009-Apr 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c23db213-667e-48ca-ae9f-c19c503762ef\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c23db213-667e-48ca-ae9f-c19c503762ef\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c23db213-667e-48ca-ae9f-c19c503762ef"
	],
	"report_names": [
		"listgroups.cgi?u=c23db213-667e-48ca-ae9f-c19c503762ef"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "58db0213-4872-41fe-8a76-a7014d816c73",
			"created_at": "2023-01-06T13:46:38.61757Z",
			"updated_at": "2026-04-10T02:00:03.040816Z",
			"deleted_at": null,
			"main_name": "Tonto Team",
			"aliases": [
				"G0131",
				"PLA Unit 65017",
				"Earth Akhlut",
				"TAG-74",
				"CactusPete",
				"KARMA PANDA",
				"BRONZE HUNTLEY",
				"Red Beifang"
			],
			"source_name": "MISPGALAXY:Tonto Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "da483338-e479-4d74-a6dd-1fb09343fd07",
			"created_at": "2022-10-25T15:50:23.698197Z",
			"updated_at": "2026-04-10T02:00:05.355597Z",
			"deleted_at": null,
			"main_name": "Tonto Team",
			"aliases": [
				"Tonto Team",
				"Earth Akhlut",
				"BRONZE HUNTLEY",
				"CactusPete",
				"Karma Panda"
			],
			"source_name": "MITRE:Tonto Team",
			"tools": [
				"Mimikatz",
				"Bisonal",
				"ShadowPad",
				"LaZagne",
				"NBTscan",
				"gsecdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "17d16126-35d7-4c59-88a5-0b48e755e80f",
			"created_at": "2025-08-07T02:03:24.622109Z",
			"updated_at": "2026-04-10T02:00:03.726126Z",
			"deleted_at": null,
			"main_name": "BRONZE HUNTLEY",
			"aliases": [
				"CactusPete ",
				"Earth Akhlut ",
				"Karma Panda ",
				"Red Beifang",
				"Tonto Team"
			],
			"source_name": "Secureworks:BRONZE HUNTLEY",
			"tools": [
				"Bisonal",
				"RatN",
				"Royal Road",
				"ShadowPad"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a",
			"created_at": "2022-10-25T16:07:24.332084Z",
			"updated_at": "2026-04-10T02:00:04.940672Z",
			"deleted_at": null,
			"main_name": "Tonto Team",
			"aliases": [
				"Bronze Huntley",
				"CactusPete",
				"Earth Akhlut",
				"G0131",
				"HartBeat",
				"Karma Panda",
				"LoneRanger",
				"Operation Bitter Biscuit",
				"TAG-74",
				"Tonto Team"
			],
			"source_name": "ETDA:Tonto Team",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Bioazih",
				"Bisonal",
				"CONIME",
				"Dexbia",
				"Korlia",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"POISONPLUG.SHADOW",
				"RoyalRoad",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434273,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3517b02468db2097e77a057a8fa43d360a98eccd.pdf",
		"text": "https://archive.orkl.eu/3517b02468db2097e77a057a8fa43d360a98eccd.txt",
		"img": "https://archive.orkl.eu/3517b02468db2097e77a057a8fa43d360a98eccd.jpg"
	}
}