{ "id": "31ad9f2b-9931-4e41-9963-f259437bfc71", "created_at": "2026-04-06T00:07:00.173311Z", "updated_at": "2026-04-10T03:29:31.972098Z", "deleted_at": null, "sha1_hash": "6d1bf76588475ce111a3f899809b1aa9009d6025", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53015, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:04:11 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool KEYPLUG\n Tool: KEYPLUG\nNames\nKEYPLUG\nELFSHELF\nCategory Malware\nType Backdoor\nDescription\n(Mandiant) KEYPLUG is a modular backdoor written in C++ that supports multiple\nnetwork protocols for command and control (C2) traffic including HTTP, TCP, KCP\nover UDP, and WSS.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 27 June 2025\nDownload this tool card in JSON format\nAll groups using tool KEYPLUG\nChanged Name Country Observed\nAPT groups\n APT 41 2012-Jul 2025\n RedGolf 2014\n2 groups listed (2 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c549363e-03d1-4696-9d7e-5118831adf40\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c549363e-03d1-4696-9d7e-5118831adf40\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c549363e-03d1-4696-9d7e-5118831adf40\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c549363e-03d1-4696-9d7e-5118831adf40" ], "report_names": [ "listgroups.cgi?u=c549363e-03d1-4696-9d7e-5118831adf40" ], "threat_actors": [ { "id": "7936e2f8-5179-414a-8b57-530c28062f26", "created_at": "2023-04-27T02:04:45.231554Z", "updated_at": "2026-04-10T02:00:04.87247Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "ETDA:RedGolf", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "ELFSHELF", "KEYPLUG", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b", "created_at": "2023-04-26T02:02:01.286476Z", "updated_at": "2026-04-10T02:00:03.363506Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "MISPGALAXY:RedGolf", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434020, "ts_updated_at": 1775791771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d1bf76588475ce111a3f899809b1aa9009d6025.pdf", "text": "https://archive.orkl.eu/6d1bf76588475ce111a3f899809b1aa9009d6025.txt", "img": "https://archive.orkl.eu/6d1bf76588475ce111a3f899809b1aa9009d6025.jpg" } }