{ "id": "6dc758ef-f47e-4f34-a4fb-1d55d113af9b", "created_at": "2026-04-06T00:22:06.898399Z", "updated_at": "2026-04-10T03:38:01.696877Z", "deleted_at": null, "sha1_hash": "5a1c27ae9fd1b14cc19a05f43e1cd5c8990f5b86", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52314, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:49:52 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SeDLL\n Tool: SeDLL\nNames SeDLL\nCategory Malware\nType Loader\nDescription\n(Proofpoint) This DLL is used for decrypting and executing another JavaScript backdoor such\nas AIRBREAK. The DLL is registered by the installer using regsvr32. The DllRegisterServer\nexport is then called, which performs checks on the commandline parameter. If the string\n“DR” is passed as an argument, or if the DLL is running in the active session with a username\nthat is not “system”, the final JavaScript backdoor is decoded using a custom base64 alphabet.\nThis backdoor has to be present in the same directory as the dll, with a “.tmp” file extension.\nThe backdoor script is then executed using the IActiveScript and IActiveScriptParse32 COM\ninterfaces.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool SeDLL\nChanged Name Country Observed\nAPT groups\n Leviathan, APT 40, TEMP.Periscope 2013-Jul 2021\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=caedd5d3-ee3f-4114-bc90-68648be98917\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=caedd5d3-ee3f-4114-bc90-68648be98917\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=caedd5d3-ee3f-4114-bc90-68648be98917\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=caedd5d3-ee3f-4114-bc90-68648be98917" ], "report_names": [ "listgroups.cgi?u=caedd5d3-ee3f-4114-bc90-68648be98917" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434926, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a1c27ae9fd1b14cc19a05f43e1cd5c8990f5b86.pdf", "text": "https://archive.orkl.eu/5a1c27ae9fd1b14cc19a05f43e1cd5c8990f5b86.txt", "img": "https://archive.orkl.eu/5a1c27ae9fd1b14cc19a05f43e1cd5c8990f5b86.jpg" } }