{
	"id": "004b9f9d-289f-4b42-ae12-52dde856ca7d",
	"created_at": "2026-04-06T01:29:35.816263Z",
	"updated_at": "2026-04-10T13:12:29.618406Z",
	"deleted_at": null,
	"sha1_hash": "6829f60645594156f4e58e291874a36d70c3476b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52867,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:15:52 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LEOUNCIA\r\n Tool: LEOUNCIA\r\nNames\r\nLEOUNCIA\r\nshoco\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer\r\nDescription\r\n(FireEye) Like Vinself, Leouncia is a powerful backdoor that is designed to take complete\r\ncontrol over the infected machine.\r\nSimilar to Vinself, Leouncia also uses HTTP to carry its custom obfuscated payload. I found\r\nLeouncia's obfuscation techniques far more sophisticated than what I found within Vinself.\r\nMoreover, Leouncia tries its best to hide its presence from signature based sensors. It generates\r\nits http communication randomly by using varying levels of system information in conjunction\r\nwith Windows random number generation APIs. The result is that every instance of its C\u0026C\r\ncommunication will be different from the previous one.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html\u003e\r\n\u003chttps://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html\u003e\r\n\u003chttps://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia\u003e\r\nLast change to this tool card: 14 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool LEOUNCIA\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=660fc052-443f-4b96-8357-06b48255b32b\r\nPage 1 of 2\n\nAPT 5, Keyhole Panda 2007-Aug 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=660fc052-443f-4b96-8357-06b48255b32b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=660fc052-443f-4b96-8357-06b48255b32b\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=660fc052-443f-4b96-8357-06b48255b32b"
	],
	"report_names": [
		"listgroups.cgi?u=660fc052-443f-4b96-8357-06b48255b32b"
	],
	"threat_actors": [
		{
			"id": "13bedce4-3115-4563-afd5-068e3930e68e",
			"created_at": "2023-01-06T13:46:38.623775Z",
			"updated_at": "2026-04-10T02:00:03.042652Z",
			"deleted_at": null,
			"main_name": "APT5",
			"aliases": [
				"KEYHOLE PANDA",
				"BRONZE FLEETWOOD",
				"TEMP.Bottle",
				"Mulberry Typhoon",
				"Poisoned Flight"
			],
			"source_name": "MISPGALAXY:APT5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55",
			"created_at": "2024-04-24T02:00:49.599348Z",
			"updated_at": "2026-04-10T02:00:05.303948Z",
			"deleted_at": null,
			"main_name": "APT5",
			"aliases": [
				"APT5",
				"Mulberry Typhoon",
				"BRONZE FLEETWOOD",
				"Keyhole Panda",
				"UNC2630"
			],
			"source_name": "MITRE:APT5",
			"tools": [
				"Tasklist",
				"PoisonIvy",
				"RAPIDPULSE",
				"PcShare",
				"Mimikatz",
				"SLOWPULSE",
				"SLIGHTPULSE",
				"Skeleton Key",
				"gh0st RAT",
				"PULSECHECK",
				"netstat"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "37941e7c-1966-4afa-b116-753e19e72808",
			"created_at": "2022-10-25T16:07:23.321195Z",
			"updated_at": "2026-04-10T02:00:04.540299Z",
			"deleted_at": null,
			"main_name": "APT 5",
			"aliases": [
				"APT 5",
				"Bronze Fleetwood",
				"Keyhole Panda",
				"Mulberry Typhoon",
				"Poisoned Flight",
				"TEMP.Bottle",
				"TG-2754"
			],
			"source_name": "ETDA:APT 5",
			"tools": [
				"LEOUNCIA",
				"shoco"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "47a8f6c7-5b29-4892-8f47-1d46be71714f",
			"created_at": "2025-08-07T02:03:24.599925Z",
			"updated_at": "2026-04-10T02:00:03.720795Z",
			"deleted_at": null,
			"main_name": "BRONZE FLEETWOOD",
			"aliases": [
				"APT5 ",
				"DPD ",
				"Keyhole Panda ",
				"Mulberry Typhoon ",
				"Poisoned Flight ",
				"TG-2754 "
			],
			"source_name": "Secureworks:BRONZE FLEETWOOD",
			"tools": [
				"Binanen",
				"Comfoo",
				"Gh0st RAT",
				"Isastart",
				"Leouncia",
				"Marade",
				"OrcaRAT",
				"PCShare",
				"Protux",
				"Skeleton Key",
				"SlyPidgin",
				"VinSelf"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438975,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6829f60645594156f4e58e291874a36d70c3476b.pdf",
		"text": "https://archive.orkl.eu/6829f60645594156f4e58e291874a36d70c3476b.txt",
		"img": "https://archive.orkl.eu/6829f60645594156f4e58e291874a36d70c3476b.jpg"
	}
}