{ "id": "ad467224-9ea3-4f09-bcda-7ca67b670f66", "created_at": "2026-04-06T00:09:22.236761Z", "updated_at": "2026-04-10T13:13:10.59615Z", "deleted_at": null, "sha1_hash": "4f57b37789a40d3dafbaf2640c009a9ff21bba12", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47398, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:44:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CoreLoader\n Tool: CoreLoader\nNames CoreLoader\nCategory Malware\nType Loader\nDescription\n(Kaspersky) CoreLoader, the last malware we found associated to this set of activity, is a\nsimple shellcode loader which performs anti-analysis and loads additional code from a file\nnamed WsmRes.xsl. Again, this specific file eluded our attempts to catch it but we suspect it to\nbe, one way or another, related to FoundCore (described in the previous section).\nInformation Last change to this tool card: 15 May 2021\nDownload this tool card in JSON format\nAll groups using tool CoreLoader\nChanged Name Country Observed\nAPT groups\n Goblin Panda, Cycldek, Conimes 2013-Jun 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=904bb94c-6e68-43a6-913a-ce026f9de390\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=904bb94c-6e68-43a6-913a-ce026f9de390\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=904bb94c-6e68-43a6-913a-ce026f9de390" ], "report_names": [ "listgroups.cgi?u=904bb94c-6e68-43a6-913a-ce026f9de390" ], "threat_actors": [ { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f57b37789a40d3dafbaf2640c009a9ff21bba12.pdf", "text": "https://archive.orkl.eu/4f57b37789a40d3dafbaf2640c009a9ff21bba12.txt", "img": "https://archive.orkl.eu/4f57b37789a40d3dafbaf2640c009a9ff21bba12.jpg" } }