{ "id": "2119bb07-975d-4107-84f2-888c3521b507", "created_at": "2026-04-06T00:19:02.989377Z", "updated_at": "2026-04-10T03:38:09.925989Z", "deleted_at": null, "sha1_hash": "6d186c858bd8faa05a570ca32cb104eb5de50e2a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50422, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:57:45 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Auriga\r\n Tool: Auriga\r\nNames\r\nAuriga\r\nRiodrv\r\nCategory Malware\r\nType Backdoor, Keylogger\r\nDescription\r\nThe AURIGA malware family shares a large amount of functionality with the bangat\r\nbackdoor. The malware family contains functionality for keystroke logging, creating and\r\nkilling processes, performing file system and registry modifications, spawning interactive\r\ncommand shells, performing process injection, logging off the current user or shutting down\r\nthe local machine. The AURIGA malware contains a driver component which is used to inject\r\nthe malware DLL into other processes. This driver can also perform process and IP connection\r\nhiding. The malware family will create a copy of cmd.exe to perform its C2 activity, and\r\nreplace the 'Microsoft corp' strings in the cmd.exe binary with different values. The malware\r\nfamily typically maintains persistence through installing itself as a service.\r\nInformation\r\n\u003chttps://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf\u003e\r\n\u003chttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.auriga\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Auriga\r\nChanged Name Country Observed\r\nAPT groups\r\n  Comment Crew, APT 1 2006-May 2018\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f8361b0-f1d1-4cc4-9c67-642df54a181a\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f8361b0-f1d1-4cc4-9c67-642df54a181a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f8361b0-f1d1-4cc4-9c67-642df54a181a\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2f8361b0-f1d1-4cc4-9c67-642df54a181a" ], "report_names": [ "listgroups.cgi?u=2f8361b0-f1d1-4cc4-9c67-642df54a181a" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434742, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d186c858bd8faa05a570ca32cb104eb5de50e2a.pdf", "text": "https://archive.orkl.eu/6d186c858bd8faa05a570ca32cb104eb5de50e2a.txt", "img": "https://archive.orkl.eu/6d186c858bd8faa05a570ca32cb104eb5de50e2a.jpg" } }