{ "id": "08ac053a-d060-4683-957b-5326368ca3e0", "created_at": "2026-04-06T00:20:11.081218Z", "updated_at": "2026-04-10T13:13:04.613291Z", "deleted_at": null, "sha1_hash": "39f8349f626d805fde00d3b36bb6b24006558728", "title": "Cardinal RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49922, "plain_text": "Cardinal RAT - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:42:53 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cardinal RAT\n Tool: Cardinal RAT\nNames Cardinal RAT\nCategory Malware\nType\nReconnaissance, Backdoor, Keylogger, Info stealer, Credential stealer, Downloader,\nExfiltration, Tunneling\nDescription\n(Palo Alto) The name Cardinal RAT comes from internal names used by the author\nwithin the observed Microsoft .NET Framework executables. To date, 27 unique\nsamples of Cardinal RAT have been observed, dating back to December 2015. It is\nlikely that the low volume of samples seen in the wild is partly responsible for the fact\nthat this malware family has remained under the radar for so long.\nThe malware itself is equipped with a number of features, including the following:\n• Collect victim information\n• Update settings\n• Act as a reverse proxy\n• Execute command\n• Uninstall itself\n• Recover passwords\n• Download and Execute new files\n• Keylogging\n• Capture screenshots\n• Update Cardinal RAT\n• Clean cookies from browsers\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fca0a40a-ae80-4525-82ad-ca1cf627344a\nPage 1 of 2\n\nLast change to this tool card: 30 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool Cardinal RAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Evilnum [Unknown] 2018-2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fca0a40a-ae80-4525-82ad-ca1cf627344a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fca0a40a-ae80-4525-82ad-ca1cf627344a\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fca0a40a-ae80-4525-82ad-ca1cf627344a" ], "report_names": [ "listgroups.cgi?u=fca0a40a-ae80-4525-82ad-ca1cf627344a" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434811, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39f8349f626d805fde00d3b36bb6b24006558728.pdf", "text": "https://archive.orkl.eu/39f8349f626d805fde00d3b36bb6b24006558728.txt", "img": "https://archive.orkl.eu/39f8349f626d805fde00d3b36bb6b24006558728.jpg" } }