{ "id": "7b1c2149-ef3a-4123-9627-dfb29d2baff2", "created_at": "2026-04-06T00:16:28.385969Z", "updated_at": "2026-04-10T13:13:04.018036Z", "deleted_at": null, "sha1_hash": "6bc5f66b212c9e46224b3e6a8039e8013ca46542", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50347, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:02:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool C0d0so0\n Tool: C0d0so0\nNames C0d0so0\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) Two variants of the malware employed by C0d0so0 were discovered—one\nthat used HTTP for command and control (C2) communications, and one that used a\ncustom network protocol over port 22.\nIn these newly discovered C0d0so0 attacks, several of the targeted hosts were identified\nas server systems, instead of user endpoints, suggesting the possibility that these specific\ntargets will be used in future attacks as additional watering holes. Both of the malware\nvariants encoded and compressed the underlying network traffic to bypass any network-based security controls that were implemented.\nThe malware variants in question do not appear to belong to any known malware family,\nalthough the structure of the network communication does bear a resemblance to the\nDerusbi malware family, which has shown to be unique to Chinese cyber espionage\noperators. Past observations of Derusbi in various attack campaigns indicate the version\nused was compiled specifically for that campaign. Derusbi has had both the client and\nserver variants deployed, using different combinations of configurations and modules.\nThe newly discovered activity is consistent with this procedure, with compile times only a\nfew days prior to the observed attacks.\nInformation Malpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool C0d0so0\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f01aa65c-7a53-43fa-a0f1-873061171574\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  APT 19, Deep Panda, C0d0so0 2013-Mar 2022\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f01aa65c-7a53-43fa-a0f1-873061171574\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f01aa65c-7a53-43fa-a0f1-873061171574\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f01aa65c-7a53-43fa-a0f1-873061171574" ], "report_names": [ "listgroups.cgi?u=f01aa65c-7a53-43fa-a0f1-873061171574" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434588, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6bc5f66b212c9e46224b3e6a8039e8013ca46542.pdf", "text": "https://archive.orkl.eu/6bc5f66b212c9e46224b3e6a8039e8013ca46542.txt", "img": "https://archive.orkl.eu/6bc5f66b212c9e46224b3e6a8039e8013ca46542.jpg" } }