{ "id": "9a4b96a8-a5f9-45b6-89f9-4a964f323541", "created_at": "2026-04-06T00:10:49.83829Z", "updated_at": "2026-04-10T13:11:36.966077Z", "deleted_at": null, "sha1_hash": "608df855afa5ad7e0a78351761f3b0bc0f02ab5f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50700, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:27:36 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DADJOKE\r\n Tool: DADJOKE\r\nNames DADJOKE\r\nCategory Malware\r\nType Backdoor, Exfiltration\r\nDescription\r\nDADJOKE was discovered as being distributed via email, targeting a South-East Asian\r\nMinistry of Defense. It is delivered as an embedded EXE file in a Word document using\r\nremote templates and a unique macro using multiple GET requests. The payload is\r\ndeployed using load-order hijacking with a benign Windows Defender executable. Stage 1\r\nhas only beacon+download functionality, made to look like a PNG file. Additional\r\nanalysis by Kaspersky found 8 campaigns over 2019 and no activity prior to January\r\n2019, DADJOKE is attributed with medium confidence to APT40.\r\nInformation \u003chttps://www.mycert.org.my/portal/advisory?id=MA-770.022020\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:DADJOKE\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool DADJOKE\r\nChanged Name Country Observed\r\nAPT groups\r\n  Leviathan, APT 40, TEMP.Periscope 2013-Jul 2021\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bfad0282-84d5-4135-84f1-24687684f5e5\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bfad0282-84d5-4135-84f1-24687684f5e5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bfad0282-84d5-4135-84f1-24687684f5e5\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=bfad0282-84d5-4135-84f1-24687684f5e5" ], "report_names": [ "listgroups.cgi?u=bfad0282-84d5-4135-84f1-24687684f5e5" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434249, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/608df855afa5ad7e0a78351761f3b0bc0f02ab5f.pdf", "text": "https://archive.orkl.eu/608df855afa5ad7e0a78351761f3b0bc0f02ab5f.txt", "img": "https://archive.orkl.eu/608df855afa5ad7e0a78351761f3b0bc0f02ab5f.jpg" } }