{ "id": "877519ce-9530-4c25-a82e-3d17a077e287", "created_at": "2026-04-06T00:18:28.193884Z", "updated_at": "2026-04-10T03:36:33.529887Z", "deleted_at": null, "sha1_hash": "5aab0795594092e9204f5fbc530586d6454db7a5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48928, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:43:58 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Orat\r\n Tool: Orat\r\nNames Orat\r\nCategory Malware\r\nType Loader\r\nDescription\r\n(SecureWorks) CTU researchers have only observed this basic loader tool in the context of\r\nBRONZE PRESIDENT intrusions. ORat is the name assigned by the malware author, as\r\ndenoted by the program debug database string in the analyzed sample:\r\nD:\\vswork\\Plugin\\ORat\\build\\Release\\ORatServer\\Loader.pdb. The tool uses the Windows\r\nManagement Instrumentation (WMI) event consumer for persistence by installing a script to\r\nthe system's WMI registry. Messages sent from ORat to its command and control (C2) server\r\nstart with the string 'VIEWS0018x'. If the data received from the C2 server starts with the\r\nsame string, then the remainder of the payload is decompressed using ORat's 'deflate'\r\nalgorithm and called as a function. ORat acts as a flexible loader tool rather than a fully\r\nfeatured remote access tool.\r\nInformation \u003chttps://www.secureworks.com/research/bronze-president-targets-ngos\u003e\r\nLast change to this tool card: 04 April 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool Orat\r\nChanged Name Country Observed\r\nAPT groups\r\n  Mustang Panda, Bronze President 2012-Jun 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=19552048-5564-480f-9e53-1411a008c8b4\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=19552048-5564-480f-9e53-1411a008c8b4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=19552048-5564-480f-9e53-1411a008c8b4\r\nPage 2 of 2\n\nAPT groups Mustang Panda, Bronze President 2012-Jun 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=19552048-5564-480f-9e53-1411a008c8b4" ], "report_names": [ "listgroups.cgi?u=19552048-5564-480f-9e53-1411a008c8b4" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434708, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5aab0795594092e9204f5fbc530586d6454db7a5.pdf", "text": "https://archive.orkl.eu/5aab0795594092e9204f5fbc530586d6454db7a5.txt", "img": "https://archive.orkl.eu/5aab0795594092e9204f5fbc530586d6454db7a5.jpg" } }