{
	"id": "1eb2b41f-eb44-4581-a5d8-9eb2a51ab7b5",
	"created_at": "2026-04-06T00:06:06.340405Z",
	"updated_at": "2026-04-10T03:35:26.979625Z",
	"deleted_at": null,
	"sha1_hash": "3d99576023cd86e267f317329c40a9b3bec7d40d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47146,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:37:42 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Agent Racoon\n Tool: Agent Racoon\nNames Agent Racoon\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) This malware family is written using the .NET framework and leverages the\ndomain name service (DNS) protocol to create a covert channel and provide different\nbackdoor functionalities. Threat actors have used this along with the other two tools in\nmultiple attacks targeting organizations across the U.S., Middle East and Africa. Its C2\ninfrastructure dates back to 2020.\nInformation Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool Agent Racoon\nChanged Name Country Observed\nAPT groups\n Operation Diplomatic Specter 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cbeb7fae-a592-4100-b205-48ec21bbdef0\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cbeb7fae-a592-4100-b205-48ec21bbdef0\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cbeb7fae-a592-4100-b205-48ec21bbdef0"
	],
	"report_names": [
		"listgroups.cgi?u=cbeb7fae-a592-4100-b205-48ec21bbdef0"
	],
	"threat_actors": [
		{
			"id": "cff2cedd-a198-4e79-ae67-19048084ae7f",
			"created_at": "2024-06-20T02:02:09.945126Z",
			"updated_at": "2026-04-10T02:00:04.79991Z",
			"deleted_at": null,
			"main_name": "Operation Diplomatic Specter",
			"aliases": [
				"CL-STA-0043",
				"TGR-STA-0043"
			],
			"source_name": "ETDA:Operation Diplomatic Specter",
			"tools": [
				"Agent Racoon",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTran",
				"HUC Packet Transmit Tool",
				"JuicyPotatoNG",
				"Kaba",
				"Korplug",
				"LadonGo",
				"Mimikatz",
				"Mimilite",
				"Moudour",
				"Mydoor",
				"NBTscan",
				"Ntospy",
				"PCRat",
				"PlugX",
				"RedDelta",
				"SharpEfsPotato",
				"SinoChopper",
				"Sogu",
				"SweetSpecter",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"TunnelSpecter",
				"Xamtrav",
				"Yasso",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433966,
	"ts_updated_at": 1775792126,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d99576023cd86e267f317329c40a9b3bec7d40d.pdf",
		"text": "https://archive.orkl.eu/3d99576023cd86e267f317329c40a9b3bec7d40d.txt",
		"img": "https://archive.orkl.eu/3d99576023cd86e267f317329c40a9b3bec7d40d.jpg"
	}
}