{
	"id": "77616c1b-d82e-462a-ba35-b8a3d064e458",
	"created_at": "2026-04-06T00:10:10.685175Z",
	"updated_at": "2026-04-10T13:12:34.915037Z",
	"deleted_at": null,
	"sha1_hash": "6986da2c05a7c0536726291ab6b0a7f6b2a6ee87",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52793,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:33:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Emissary\n Tool: Emissary\nNames Emissary\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) This Trojan is related to the Elise backdoor described in the Operation Lotus\nBlossom report. Both Emissary and Elise are part of a malware group referred to as\n“LStudio”, which is based on the following debug strings found in Emissary and Elise\nsamples.\nThere is code overlap between Emissary and Elise, specifically in the use of a common\nfunction to log debug messages to a file and a custom algorithm to decrypt the\nconfiguration file. The custom algorithm used by Emissary and Elise to decrypt their\nconfigurations use the “srand” function to set a seed value for the “rand” function,\nwhich the algorithm uses to generate a key. While the “rand” function is meant to\ngenerate random numbers, the malware author uses the “srand” function to seed the\n“rand” function with a static value. The static seed value causes the “rand” function to\ncreate the same values each time it is called and results in a static key to decrypt the\nconfiguration. The seed value is where the Emissary and Elise differ in their use of this\nalgorithm, as Emissary uses a seed value of 1024 and Elise uses the seed value of 2012.\nWhile these two Trojans share code, we consider Emissary and Elise separate tools since\ntheir configuration structure, command handler and C2 communications channel differ.\nThe Emissary Trojan delivered in this attack contains the components listed in Table 1.\nAt a high level, Emissary has an initial loader DLL that extracts a configuration file and\na second DLL containing Emissary’s functional code that it injects into Internet\nExplorer.\nInformation\nMITRE ATT\u0026CK https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff940eeb-a58a-41f6-93ca-8f61eb3abe46\nPage 1 of 2\n\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.emissary\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Emissary\r\nChanged Name Country Observed\r\nAPT groups\r\n  Lotus Blossom, Spring Dragon, Thrip 2012-Aug 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff940eeb-a58a-41f6-93ca-8f61eb3abe46\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff940eeb-a58a-41f6-93ca-8f61eb3abe46\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ff940eeb-a58a-41f6-93ca-8f61eb3abe46"
	],
	"report_names": [
		"listgroups.cgi?u=ff940eeb-a58a-41f6-93ca-8f61eb3abe46"
	],
	"threat_actors": [
		{
			"id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788",
			"created_at": "2022-10-25T15:50:23.722608Z",
			"updated_at": "2026-04-10T02:00:05.397432Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"Thrip"
			],
			"source_name": "MITRE:Thrip",
			"tools": [
				"PsExec",
				"Mimikatz",
				"Catchamas"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb",
			"created_at": "2023-01-06T13:46:38.793461Z",
			"updated_at": "2026-04-10T02:00:03.102807Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"G0076",
				"ATK78"
			],
			"source_name": "MISPGALAXY:Thrip",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6986da2c05a7c0536726291ab6b0a7f6b2a6ee87.pdf",
		"text": "https://archive.orkl.eu/6986da2c05a7c0536726291ab6b0a7f6b2a6ee87.txt",
		"img": "https://archive.orkl.eu/6986da2c05a7c0536726291ab6b0a7f6b2a6ee87.jpg"
	}
}