{
	"id": "05e7fe5c-5da4-4d84-bc9a-28cc835525a3",
	"created_at": "2026-04-06T00:08:44.558408Z",
	"updated_at": "2026-04-10T03:23:18.104814Z",
	"deleted_at": null,
	"sha1_hash": "45132fbe4e645e53822a84394969232c059345e2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48492,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:54:29 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RunningRAT\n Tool: RunningRAT\nNames\nRunningRAT\nRunning RAT\nrunning_rat\nCategory Malware\nType Reconnaissance, Backdoor, Keylogger, Info stealer\nDescription\n(McAfee) RunningRat is a remote access Trojan (RAT) that operates with two DLLs. It\ngets its name from a hardcoded string embedded in the malware. Upon being dropped\nonto a system, the first DLL executes. This DLL serves three main functions: killing\nantimalware, unpacking and executing the main RAT DLL, and obtaining persistence.\nThe malware drops the Windows batch file dx.bat, which attempts to kill the task\ndaumcleaner.exe; a Korean security program. The batch file then attempts to remove\nitself.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool RunningRAT\nChanged Name Country Observed\nAPT groups\n Hades 2017-Oct 2020\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=df6926cd-9c41-4db7-a233-54e6ebebb6ee\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=df6926cd-9c41-4db7-a233-54e6ebebb6ee\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=df6926cd-9c41-4db7-a233-54e6ebebb6ee\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=df6926cd-9c41-4db7-a233-54e6ebebb6ee"
	],
	"report_names": [
		"listgroups.cgi?u=df6926cd-9c41-4db7-a233-54e6ebebb6ee"
	],
	"threat_actors": [
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434124,
	"ts_updated_at": 1775791398,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45132fbe4e645e53822a84394969232c059345e2.pdf",
		"text": "https://archive.orkl.eu/45132fbe4e645e53822a84394969232c059345e2.txt",
		"img": "https://archive.orkl.eu/45132fbe4e645e53822a84394969232c059345e2.jpg"
	}
}