{ "id": "661b6ccd-aa7f-4950-b741-40ae57c5349d", "created_at": "2026-04-06T00:13:02.872015Z", "updated_at": "2026-04-10T03:37:19.323135Z", "deleted_at": null, "sha1_hash": "6ca592f3e1c7fdde36343112c3cf55a2de8f30ef", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48189, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:12:12 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool JsonCookies\n Tool: JsonCookies\nNames JsonCookies\nCategory Malware\nType Info stealer\nDescription\n(Kaspersky) Proprietary tool that steals cookies from SQLite databases of Chromium-based\nbrowsers. For this purpose, the sqlite3.dll library is downloaded from the C\u0026C and used\nduring execution to parse the database and generate a JSON file named ‘FuckCookies.txt’\ncontaining stolen cookie info.\nInformation Last change to this tool card: 04 June 2020\nDownload this tool card in JSON format\nAll groups using tool JsonCookies\nChanged Name Country Observed\nAPT groups\n Goblin Panda, Cycldek, Conimes 2013-Jun 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ae65a12f-980c-4d7b-9191-c4ea39c28f26\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ae65a12f-980c-4d7b-9191-c4ea39c28f26\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ae65a12f-980c-4d7b-9191-c4ea39c28f26" ], "report_names": [ "listgroups.cgi?u=ae65a12f-980c-4d7b-9191-c4ea39c28f26" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ca592f3e1c7fdde36343112c3cf55a2de8f30ef.pdf", "text": "https://archive.orkl.eu/6ca592f3e1c7fdde36343112c3cf55a2de8f30ef.txt", "img": "https://archive.orkl.eu/6ca592f3e1c7fdde36343112c3cf55a2de8f30ef.jpg" } }