{ "id": "b9febefb-7843-4b87-aa33-e28da0024ab2", "created_at": "2026-04-06T01:28:54.498451Z", "updated_at": "2026-04-10T03:36:50.282319Z", "deleted_at": null, "sha1_hash": "512ae21270bfbc3dff3514b279ae155be4c93ec1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62978, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:35:09 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Bozok\r\n Tool: Bozok\r\nNames\r\nBozok\r\nBozok RAT\r\nCategory Tools\r\nType Backdoor\r\nDescription\r\n(FireEye) Bozok, like many other popular RATs, is freely available. The author of the Bozok\r\nRAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze\r\nSonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT\r\nactors have used both in previous targeted attacks.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html\u003e\r\n\u003chttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.bozok\u003e\r\nLast change to this tool card: 13 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Bozok\r\nChanged Name Country Observed\r\nAPT groups\r\n  Patchwork, Dropping Elephant 2013-Jun 2025  \r\n  Temper Panda, admin@338 2014  \r\n  Transparent Tribe, APT 36 2013-Mar 2025  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b84982d-1de9-4e8b-8ac3-316cb15e5ed8\r\nPage 1 of 2\n\n3 groups listed (3 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b84982d-1de9-4e8b-8ac3-316cb15e5ed8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b84982d-1de9-4e8b-8ac3-316cb15e5ed8\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b84982d-1de9-4e8b-8ac3-316cb15e5ed8" ], "report_names": [ "listgroups.cgi?u=3b84982d-1de9-4e8b-8ac3-316cb15e5ed8" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "9d6f666e-3a9d-4a09-bcac-8aee96572827", "created_at": "2022-10-25T15:50:23.2832Z", "updated_at": "2026-04-10T02:00:05.268714Z", "deleted_at": null, "main_name": "admin@338", "aliases": [ "admin@338" ], "source_name": "MITRE:admin@338", "tools": [ "BUBBLEWRAP", "LOWBALL", "Systeminfo", "PoisonIvy", "netstat", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "1f29d13d-268d-4c26-ac4a-1ce8cebdbd3a", "created_at": "2023-01-06T13:46:38.351187Z", "updated_at": "2026-04-10T02:00:02.938577Z", "deleted_at": null, "main_name": "TEMPER PANDA", "aliases": [ "Admin338", "Team338", "admin@338", "G0018" ], "source_name": "MISPGALAXY:TEMPER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "c23ca3e9-6b58-4f24-b4eb-ce3b24815ac4", "created_at": "2022-10-25T16:07:24.313367Z", "updated_at": "2026-04-10T02:00:04.932247Z", "deleted_at": null, "main_name": "Temper Panda", "aliases": [ "G0018", "Team338", "Temper Panda", "admin@338" ], "source_name": "ETDA:Temper Panda", "tools": [ "BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper", "Bozok", "Bozok RAT", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "LOLBAS", "LOLBins", "LOWBALL", "Living off the Land", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438934, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/512ae21270bfbc3dff3514b279ae155be4c93ec1.pdf", "text": "https://archive.orkl.eu/512ae21270bfbc3dff3514b279ae155be4c93ec1.txt", "img": "https://archive.orkl.eu/512ae21270bfbc3dff3514b279ae155be4c93ec1.jpg" } }