{
	"id": "1d46a570-8d00-4735-b380-8d4692aa48e8",
	"created_at": "2026-04-06T00:17:50.049951Z",
	"updated_at": "2026-04-10T13:11:40.833498Z",
	"deleted_at": null,
	"sha1_hash": "6adc421394229f4947c110a4052d54902b320b70",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48376,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:48:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Dudell\n Tool: Dudell\nNames Dudell\nCategory Malware\nType Loader\nDescription\n(Palo Alto) The DUDELL sample is a weaponized Microsoft Excel document that\ncontains a malicious macro that runs on the victim’s machine. It shares the same\nmalicious behavior reported by Checkpoint in Rancor: The Year of The Phish SHA-1\nc829f5f9ff89210c888c1559bb085ec6e65232de. In Check Point’s blog, the sample is from\nDecember 2018 while this sample is from April 2018.\nInformation\nAlienVault OTX Last change to this tool card: 01 May 2020\nDownload this tool card in JSON format\nAll groups using tool Dudell\nChanged Name Country Observed\nAPT groups\n Rancor 2017\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8c55a347-f45c-4a6a-a9a5-4e5387c01313\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8c55a347-f45c-4a6a-a9a5-4e5387c01313\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8c55a347-f45c-4a6a-a9a5-4e5387c01313"
	],
	"report_names": [
		"listgroups.cgi?u=8c55a347-f45c-4a6a-a9a5-4e5387c01313"
	],
	"threat_actors": [
		{
			"id": "e8aee970-e31e-489f-81c2-c23cd52e255c",
			"created_at": "2023-01-06T13:46:38.763687Z",
			"updated_at": "2026-04-10T02:00:03.092181Z",
			"deleted_at": null,
			"main_name": "RANCOR",
			"aliases": [
				"Rancor Group",
				"G0075",
				"Rancor Taurus",
				"Rancor group",
				"Rancor"
			],
			"source_name": "MISPGALAXY:RANCOR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d11e45c-4e31-4997-88f5-295b2564cfc6",
			"created_at": "2022-10-25T15:50:23.794721Z",
			"updated_at": "2026-04-10T02:00:05.358892Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"Rancor"
			],
			"source_name": "MITRE:Rancor",
			"tools": [
				"DDKONG",
				"PLAINTEE",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "416f8374-2b06-47e4-ba91-929b3f85d9bf",
			"created_at": "2022-10-25T16:07:24.093951Z",
			"updated_at": "2026-04-10T02:00:04.864244Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"G0075",
				"Rancor Group",
				"Rancor Taurus"
			],
			"source_name": "ETDA:Rancor",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DDKONG",
				"Derusbi",
				"Dudell",
				"ExDudell",
				"KHRAT",
				"PLAINTEE",
				"RoyalRoad",
				"certutil",
				"certutil.exe",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434670,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6adc421394229f4947c110a4052d54902b320b70.pdf",
		"text": "https://archive.orkl.eu/6adc421394229f4947c110a4052d54902b320b70.txt",
		"img": "https://archive.orkl.eu/6adc421394229f4947c110a4052d54902b320b70.jpg"
	}
}