{
	"id": "f68c9bfc-102c-4bcd-a312-c5d4c0b6736f",
	"created_at": "2026-04-06T00:13:58.353813Z",
	"updated_at": "2026-04-10T03:35:20.342813Z",
	"deleted_at": null,
	"sha1_hash": "5304fabdb462b0b5620eef17f01f75cab2f1cd2e",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52359,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 10:52:36 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BitRAT\n Tool: BitRAT\nNames BitRAT\nCategory Malware\nType Backdoor, Info stealer, Credential stealer, Keylogger\nDescription\n(Krabs on Security) As is the case with most HF malware, BitRAT is best described as an\namalgamation of poorly pasted leaked source code slapped together alongside a fancy C# GUI.\nIt makes heavy uses of libraries such as C++ Standard Library, Boost, OpenCV, and libcurl, as\nwell as code copied directly from leaked malware source code or sites including\nStackOverflow. The choice of Camellia is somewhat unique, I have not seen this specific\nalgorithm used in malware before.\nInformation\nMalpedia Last change to this tool card: 15 February 2023\nDownload this tool card in JSON format\nAll groups using tool BitRAT\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=041f9066-8f22-48b7-bb50-5d2ca3bf6410\nPage 1 of 2\n\nBlind Eagle 2018-Nov 2024  \r\n  OPERA1ER [Unknown] 2016-Jul 2023\r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=041f9066-8f22-48b7-bb50-5d2ca3bf6410\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=041f9066-8f22-48b7-bb50-5d2ca3bf6410\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=041f9066-8f22-48b7-bb50-5d2ca3bf6410"
	],
	"report_names": [
		"listgroups.cgi?u=041f9066-8f22-48b7-bb50-5d2ca3bf6410"
	],
	"threat_actors": [
		{
			"id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813",
			"created_at": "2022-10-25T15:50:23.688973Z",
			"updated_at": "2026-04-10T02:00:05.390055Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"APT-C-36",
				"Blind Eagle"
			],
			"source_name": "MITRE:APT-C-36",
			"tools": [
				"Imminent Monitor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "11c69e3d-a740-4a70-abd3-158ac0375452",
			"created_at": "2023-01-06T13:46:39.29608Z",
			"updated_at": "2026-04-10T02:00:03.27813Z",
			"deleted_at": null,
			"main_name": "Common Raven",
			"aliases": [
				"NXSMS",
				"DESKTOP-GROUP",
				"OPERA1ER"
			],
			"source_name": "MISPGALAXY:Common Raven",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "be597b07-0cde-47bc-80c3-790a8df34af4",
			"created_at": "2022-10-25T16:07:23.407484Z",
			"updated_at": "2026-04-10T02:00:04.58656Z",
			"deleted_at": null,
			"main_name": "Blind Eagle",
			"aliases": [
				"APT-C-36",
				"APT-Q-98",
				"AguilaCiega",
				"G0099"
			],
			"source_name": "ETDA:Blind Eagle",
			"tools": [
				"AsyncRAT",
				"BitRAT",
				"Bladabindi",
				"BlotchyQuasar",
				"Imminent Monitor",
				"Imminent Monitor RAT",
				"Jorik",
				"LimeRAT",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"Warzone",
				"Warzone RAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0",
			"created_at": "2023-02-18T02:04:24.365926Z",
			"updated_at": "2026-04-10T02:00:04.792271Z",
			"deleted_at": null,
			"main_name": "OPERA1ER",
			"aliases": [
				"Common Raven",
				"DESKTOP-GROUP",
				"NXSMS",
				"Operation Nervone"
			],
			"source_name": "ETDA:OPERA1ER",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Agentemis",
				"BitRAT",
				"BlackNET RAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Kasidet",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Metasploit",
				"Negasteal",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"Ngrok",
				"Origin Logger",
				"PsExec",
				"RDPWrap",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revealer Keylogger",
				"Socmer",
				"VenomRAT",
				"ZPAQ",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bd43391b-b835-4cb3-839a-d830aa1a3410",
			"created_at": "2023-01-06T13:46:38.925525Z",
			"updated_at": "2026-04-10T02:00:03.147197Z",
			"deleted_at": null,
			"main_name": "APT-C-36",
			"aliases": [
				"Blind Eagle"
			],
			"source_name": "MISPGALAXY:APT-C-36",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434438,
	"ts_updated_at": 1775792120,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5304fabdb462b0b5620eef17f01f75cab2f1cd2e.pdf",
		"text": "https://archive.orkl.eu/5304fabdb462b0b5620eef17f01f75cab2f1cd2e.txt",
		"img": "https://archive.orkl.eu/5304fabdb462b0b5620eef17f01f75cab2f1cd2e.jpg"
	}
}