{
	"id": "d8b45a38-f012-4ec4-bd10-1ce4de38e8cf",
	"created_at": "2026-04-06T00:07:05.399262Z",
	"updated_at": "2026-04-10T03:33:54.612627Z",
	"deleted_at": null,
	"sha1_hash": "3c52306d4308b9b4e101a4c3a4ac1464aa388eb6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49516,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:26:52 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PGoShell\r\n Tool: PGoShell\r\nNames PGoShell\r\nCategory Malware\r\nType Backdoor, Info stealer, Downloader\r\nDescription\r\n(Knownsec 404) PGoShell is developed in the Go programming language, overall, it offers a\r\nrich set of functionalities, including remote shell capabilities, screen capture, and downloading\r\nand executing payloads.It was initially named for its primary feature of remote shell capability.\r\nInformation\r\n\u003chttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\u003e\r\nLast change to this tool card: 27 August 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool PGoShell\r\nChanged Name Country Observed\r\nAPT groups\r\n  Patchwork, Dropping Elephant 2013-Jun 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=762e6de4-062d-4298-b622-97efdf448c6e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=762e6de4-062d-4298-b622-97efdf448c6e\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=762e6de4-062d-4298-b622-97efdf448c6e"
	],
	"report_names": [
		"listgroups.cgi?u=762e6de4-062d-4298-b622-97efdf448c6e"
	],
	"threat_actors": [
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2b29dd16-a06f-4830-81a1-365443bc54b8",
			"created_at": "2023-01-06T13:46:38.460047Z",
			"updated_at": "2026-04-10T02:00:02.983931Z",
			"deleted_at": null,
			"main_name": "QUILTED TIGER",
			"aliases": [
				"Chinastrats",
				"Sarit",
				"APT-C-09",
				"ZINC EMERSON",
				"ATK11",
				"G0040",
				"Orange Athos",
				"Thirsty Gemini",
				"Dropping Elephant"
			],
			"source_name": "MISPGALAXY:QUILTED TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434025,
	"ts_updated_at": 1775792034,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c52306d4308b9b4e101a4c3a4ac1464aa388eb6.pdf",
		"text": "https://archive.orkl.eu/3c52306d4308b9b4e101a4c3a4ac1464aa388eb6.txt",
		"img": "https://archive.orkl.eu/3c52306d4308b9b4e101a4c3a4ac1464aa388eb6.jpg"
	}
}