{
	"id": "853ba0c0-8324-4ec0-9251-f964b802df31",
	"created_at": "2026-04-06T00:10:31.591341Z",
	"updated_at": "2026-04-10T13:11:56.692276Z",
	"deleted_at": null,
	"sha1_hash": "6a867b41e82b8efacd9d0cb6ce2b238c3a7998c9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50659,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:38:14 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool IRAFAU\r\n Tool: IRAFAU\r\nNames IRAFAU\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Fortinet) The backdoor, which we now call “IRAFAU” from a decrypted string found during\r\nanalysis, comes as a file packed with what looks to be modified UPX. Regardless, unpacking it\r\nis simple.\r\nOnce unpacked, the backdoor malware’s behavior was not obvious because its strings were\r\nstill encrypted and APIs used had been dynamically imported.\r\nSo, the first thing this malware does is to initialize a structure where it stores the decrypted\r\nstrings that will be used in the next function calls. This includes the command and control\r\nserver string, function pointers, and dynamically imported APIs that will be used throughout\r\nits execution. This structure is passed as a parameter to subsequent functions.\r\nInformation\r\n\u003chttps://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document\u003e\r\nLast change to this tool card: 27 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool IRAFAU\r\nChanged Name Country Observed\r\nAPT groups\r\n  Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon 2010-Oct 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5401d405-232f-4c64-ad31-4d30274bd90f\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5401d405-232f-4c64-ad31-4d30274bd90f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5401d405-232f-4c64-ad31-4d30274bd90f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5401d405-232f-4c64-ad31-4d30274bd90f"
	],
	"report_names": [
		"listgroups.cgi?u=5401d405-232f-4c64-ad31-4d30274bd90f"
	],
	"threat_actors": [
		{
			"id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e",
			"created_at": "2022-10-25T15:50:23.453824Z",
			"updated_at": "2026-04-10T02:00:05.28793Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"Ke3chang",
				"APT15",
				"Vixen Panda",
				"GREF",
				"Playful Dragon",
				"RoyalAPT",
				"Nylon Typhoon"
			],
			"source_name": "MITRE:Ke3chang",
			"tools": [
				"Okrum",
				"Systeminfo",
				"netstat",
				"spwebmember",
				"Mimikatz",
				"Tasklist",
				"MirageFox",
				"Neoichor",
				"ipconfig"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "adfbe698-24b2-41fc-a701-781fef330b16",
			"created_at": "2024-01-09T02:00:04.17648Z",
			"updated_at": "2026-04-10T02:00:03.504826Z",
			"deleted_at": null,
			"main_name": "GREF",
			"aliases": [],
			"source_name": "MISPGALAXY:GREF",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7d5531e2-0ad1-4237-beed-af009035576f",
			"created_at": "2024-05-01T02:03:07.977868Z",
			"updated_at": "2026-04-10T02:00:03.817883Z",
			"deleted_at": null,
			"main_name": "BRONZE PALACE",
			"aliases": [
				"APT15 ",
				"BRONZE DAVENPORT ",
				"BRONZE IDLEWOOD ",
				"CTG-6119 ",
				"CTG-6119 ",
				"CTG-9246 ",
				"Ke3chang ",
				"NICKEL ",
				"Nylon Typhoon ",
				"Playful Dragon",
				"Vixen Panda "
			],
			"source_name": "Secureworks:BRONZE PALACE",
			"tools": [
				"BMW",
				"BS2005",
				"Enfal",
				"Mirage",
				"RoyalCLI",
				"RoyalDNS"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7c8cf02c-623a-4793-918b-f908675a1aef",
			"created_at": "2023-01-06T13:46:38.309165Z",
			"updated_at": "2026-04-10T02:00:02.921721Z",
			"deleted_at": null,
			"main_name": "APT15",
			"aliases": [
				"Metushy",
				"Lurid",
				"Social Network Team",
				"Royal APT",
				"BRONZE DAVENPORT",
				"BRONZE IDLEWOOD",
				"VIXEN PANDA",
				"Ke3Chang",
				"Playful Dragon",
				"BRONZE PALACE",
				"G0004",
				"Red Vulture",
				"Nylon Typhoon"
			],
			"source_name": "MISPGALAXY:APT15",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c",
			"created_at": "2022-10-25T16:07:23.750796Z",
			"updated_at": "2026-04-10T02:00:04.736762Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"APT 15",
				"BackdoorDiplomacy",
				"Bronze Davenport",
				"Bronze Idlewood",
				"Bronze Palace",
				"CTG-9246",
				"G0004",
				"G0135",
				"GREF",
				"Ke3chang",
				"Metushy",
				"Nylon Typhoon",
				"Operation Ke3chang",
				"Operation MirageFox",
				"Playful Dragon",
				"Playful Taurus",
				"PurpleHaze",
				"Red Vulture",
				"Royal APT",
				"Social Network Team",
				"Vixen Panda"
			],
			"source_name": "ETDA:Ke3chang",
			"tools": [
				"Agentemis",
				"Anserin",
				"BS2005",
				"BleDoor",
				"CarbonSteal",
				"Cobalt Strike",
				"CobaltStrike",
				"DarthPusher",
				"DoubleAgent",
				"EternalBlue",
				"GoldenEagle",
				"Graphican",
				"HenBox",
				"HighNoon",
				"IRAFAU",
				"Ketrican",
				"Ketrum",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MS Exchange Tool",
				"Mebroot",
				"Mimikatz",
				"MirageFox",
				"NBTscan",
				"Okrum",
				"PluginPhantom",
				"PortQry",
				"ProcDump",
				"PsList",
				"Quarian",
				"RbDoor",
				"RibDoor",
				"Royal DNS",
				"RoyalCli",
				"RoyalDNS",
				"SAMRID",
				"SMBTouch",
				"SilkBean",
				"Sinowal",
				"SpyWaller",
				"Theola",
				"TidePool",
				"Torpig",
				"Turian",
				"Winnti",
				"XSLCmd",
				"cobeacon",
				"nbtscan",
				"netcat",
				"spwebmember"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434231,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a867b41e82b8efacd9d0cb6ce2b238c3a7998c9.pdf",
		"text": "https://archive.orkl.eu/6a867b41e82b8efacd9d0cb6ce2b238c3a7998c9.txt",
		"img": "https://archive.orkl.eu/6a867b41e82b8efacd9d0cb6ce2b238c3a7998c9.jpg"
	}
}