{ "id": "4cadceef-2be5-4892-8a1d-5fbb5a29e51f", "created_at": "2026-04-06T03:35:44.589475Z", "updated_at": "2026-04-10T13:13:00.799136Z", "deleted_at": null, "sha1_hash": "64ef7b473b138107e4ffe038a15a7f667a753831", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49471, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:09:09 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Godlua\n Tool: Godlua\nNames Godlua\nCategory Malware\nType Backdoor, Downloader\nDescription\n(Qihoo 360) The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua\nbyte-code file loaded by this sample has a magic number of “God”.\nGodlua Backdoor has a redundant communication mechanism for C2 connection, a\ncombination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used\nto store the C2 address, which is not something we see often. At the same time, it uses HTTPS\nto download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure\nsecure communication between the bots, the Web Server and the C2.\nWe noticed that there are already 2 versions of Godlua Backdoor and there are ongoing\nupdates. We also observed that attackers has been using Lua command to run Lua code\ndynamically and initiate HTTP Flood attacks targeting some websites.\nInformation Malpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Godlua\nChanged Name Country Observed\nOther groups\n Rocke, Iron Group 2018-Apr 2021\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f71f8b-d0c6-4876-918e-980b74c1f3b8\nPage 1 of 2\n\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f71f8b-d0c6-4876-918e-980b74c1f3b8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f71f8b-d0c6-4876-918e-980b74c1f3b8\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=95f71f8b-d0c6-4876-918e-980b74c1f3b8" ], "report_names": [ "listgroups.cgi?u=95f71f8b-d0c6-4876-918e-980b74c1f3b8" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "5b9d2809-47b7-46a8-ab2d-9687537f1bc7", "created_at": "2023-01-06T13:46:38.804869Z", "updated_at": "2026-04-10T02:00:03.107112Z", "deleted_at": null, "main_name": "Iron Group", "aliases": [ "Iron Cyber Group" ], "source_name": "MISPGALAXY:Iron Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446544, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64ef7b473b138107e4ffe038a15a7f667a753831.pdf", "text": "https://archive.orkl.eu/64ef7b473b138107e4ffe038a15a7f667a753831.txt", "img": "https://archive.orkl.eu/64ef7b473b138107e4ffe038a15a7f667a753831.jpg" } }