{ "id": "3af0ee43-2d79-42ee-b017-a664e9eb748b", "created_at": "2026-04-06T00:19:54.05695Z", "updated_at": "2026-04-10T03:36:18.520848Z", "deleted_at": null, "sha1_hash": "47b3cd1f02a1a3031bf356bd9eef198d5f3bc5a5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50810, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:37:49 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PLAINTEE\n Tool: PLAINTEE\nNames PLAINTEE\nCategory Malware\nType Reconnaissance, Backdoor\nDescription\n(Palo Alto) PLAINTEE is unusual in that it uses a custom UDP protocol for its network\ncommunications.\nPLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an\nidentifier for the victim. The malware then proceeds to collect general system\nenumeration data about the infected machine and enters a loop where it will decode an\nembedded config blob and send an initial beacon to the C2 server.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool PLAINTEE\nChanged Name Country Observed\nAPT groups\n Rancor 2017\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4e8876cc-a6e4-4e3b-8637-e77d6363a1ad\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4e8876cc-a6e4-4e3b-8637-e77d6363a1ad\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4e8876cc-a6e4-4e3b-8637-e77d6363a1ad\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4e8876cc-a6e4-4e3b-8637-e77d6363a1ad" ], "report_names": [ "listgroups.cgi?u=4e8876cc-a6e4-4e3b-8637-e77d6363a1ad" ], "threat_actors": [ { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775792178, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47b3cd1f02a1a3031bf356bd9eef198d5f3bc5a5.pdf", "text": "https://archive.orkl.eu/47b3cd1f02a1a3031bf356bd9eef198d5f3bc5a5.txt", "img": "https://archive.orkl.eu/47b3cd1f02a1a3031bf356bd9eef198d5f3bc5a5.jpg" } }