{ "id": "37977f79-0b78-4cea-bbf7-bf12b127b5b9", "created_at": "2026-04-06T00:19:58.088578Z", "updated_at": "2026-04-10T03:36:18.50388Z", "deleted_at": null, "sha1_hash": "6c07d1576c8354df6844013cc761f9ef76daa708", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52961, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:43:14 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool KHRAT\n Tool: KHRAT\nNames KHRAT\nCategory Malware\nType Reconnaissance, Backdoor, Keylogger, Info stealer\nDescription\n(Palo Alto) KHRAT is a Trojan that registers victims using their infected machine’s\nusername, system language and local IP address. KHRAT provides the threat actors\ntypical RAT features and access to the victim system, including keylogging, screenshot\ncapabilities, remote shell access and so on.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool KHRAT\nChanged Name Country Observed\nAPT groups\n DragonOK 2015-Jan 2017\n Rancor 2017\n2 groups listed (2 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=550bfaa7-7fce-4967-b03e-a1e14dddba03\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=550bfaa7-7fce-4967-b03e-a1e14dddba03\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=550bfaa7-7fce-4967-b03e-a1e14dddba03\r\nPage 2 of 2\n\n DragonOK Rancor 2015-Jan 2017 2017 \n2 groups listed (2 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=550bfaa7-7fce-4967-b03e-a1e14dddba03" ], "report_names": [ "listgroups.cgi?u=550bfaa7-7fce-4967-b03e-a1e14dddba03" ], "threat_actors": [ { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434798, "ts_updated_at": 1775792178, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c07d1576c8354df6844013cc761f9ef76daa708.pdf", "text": "https://archive.orkl.eu/6c07d1576c8354df6844013cc761f9ef76daa708.txt", "img": "https://archive.orkl.eu/6c07d1576c8354df6844013cc761f9ef76daa708.jpg" } }