{
	"id": "879da7d0-ed1b-4311-b45a-b00ad830af44",
	"created_at": "2026-04-06T00:09:05.203421Z",
	"updated_at": "2026-04-10T03:33:56.968159Z",
	"deleted_at": null,
	"sha1_hash": "3d6499a076f767a4559cd0a37ba3da684b23f375",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48061,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:09:59 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ORPCBackdoor\n Tool: ORPCBackdoor\nNames ORPCBackdoor\nCategory Malware\nType Backdoor\nDescription\n(Knownsec 404) Recently, Knownsec 404 Advanced Threat Intelligence Team found a new\nDLL backdoor in the Arsenal of Bitter during the continuous tracking process, the original\nname is OLEMAPI32.DLL, the product name is Microsoft Outlook, the discovered backdoor\nuses a more unique communication method.\nIn contrast to the group's other weapons, the backdoor communication method discovered this\ntime uses RPC to interact with the server.\nAccording to the available information, the newly discovered back door is most likely to target\nOutlook user groups. In order to facilitate follow-up tracking, hunting and differentiation, we\nnamed it ORPCBackdoor based on this feature.\nInformation\nMalpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool ORPCBackdoor\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a83bf18c-31cb-4103-ae7b-9127d86fc766\nPage 1 of 2\n\nAPT groups\r\n  Mysterious Elephant [Unknown] 2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a83bf18c-31cb-4103-ae7b-9127d86fc766\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a83bf18c-31cb-4103-ae7b-9127d86fc766\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a83bf18c-31cb-4103-ae7b-9127d86fc766"
	],
	"report_names": [
		"listgroups.cgi?u=a83bf18c-31cb-4103-ae7b-9127d86fc766"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f5339d7c-473e-4b49-b44c-189b4f72b585",
			"created_at": "2024-12-28T02:01:54.8259Z",
			"updated_at": "2026-04-10T02:00:04.778045Z",
			"deleted_at": null,
			"main_name": "Mysterious Elephant",
			"aliases": [
				"APT-K-47"
			],
			"source_name": "ETDA:Mysterious Elephant",
			"tools": [
				"ORPCBackdoor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434145,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d6499a076f767a4559cd0a37ba3da684b23f375.pdf",
		"text": "https://archive.orkl.eu/3d6499a076f767a4559cd0a37ba3da684b23f375.txt",
		"img": "https://archive.orkl.eu/3d6499a076f767a4559cd0a37ba3da684b23f375.jpg"
	}
}