{
	"id": "c7313ed4-2001-4cdf-93bd-ef7794c2186a",
	"created_at": "2026-04-06T00:16:32.724631Z",
	"updated_at": "2026-04-10T03:29:32.144945Z",
	"deleted_at": null,
	"sha1_hash": "7124166c78f83ed548e492b4a1e858f7b25efaa7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49230,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:05:02 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MoonBounce\n Tool: MoonBounce\nNames MoonBounce\nCategory Malware\nType Backdoor, Rootkit\nDescription\n(Kaspersky) The UEFI implant, which was detected in spring 2021 , was found to have been\nincorporated by the attackers into the CORE_DXE component of the firmware (also known as\nthe DXE Foundation), which is called early on at the DXE (Driver Execution Environment)\nphase of the UEFI boot sequence. Among other things, this component is responsible for\ninitializing essential data structures and function interfaces, one of which is the EFI Boot\nServices Table – a set of pointers to routines that are part of the CORE_DXE image itself and\nare callable by other DXE drivers in the boot chain.\nInformation Malpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool MoonBounce\nChanged Name Country Observed\nAPT groups\n APT 41 2012-Jul 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=14ee64fb-dbd7-4884-8f6c-f53a1d0f02a5\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=14ee64fb-dbd7-4884-8f6c-f53a1d0f02a5\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=14ee64fb-dbd7-4884-8f6c-f53a1d0f02a5"
	],
	"report_names": [
		"listgroups.cgi?u=14ee64fb-dbd7-4884-8f6c-f53a1d0f02a5"
	],
	"threat_actors": [
		{
			"id": "c7d9878a-e691-4c6f-81ae-84fb115a1345",
			"created_at": "2022-10-25T16:07:23.359506Z",
			"updated_at": "2026-04-10T02:00:04.556639Z",
			"deleted_at": null,
			"main_name": "APT 41",
			"aliases": [
				"BrazenBamboo",
				"Bronze Atlas",
				"Double Dragon",
				"Earth Baku",
				"G0096",
				"Grayfly",
				"Operation ColunmTK",
				"Operation CuckooBees",
				"Operation ShadowHammer",
				"Red Kelpie",
				"SparklingGoblin",
				"TA415",
				"TG-2633"
			],
			"source_name": "ETDA:APT 41",
			"tools": [
				"9002 RAT",
				"ADORE.XSEC",
				"ASPXSpy",
				"ASPXTool",
				"AceHash",
				"Agent.dhwf",
				"Agentemis",
				"AndroidControl",
				"AngryRebel",
				"AntSword",
				"BLUEBEAM",
				"Barlaiy",
				"BlackCoffee",
				"Bladabindi",
				"BleDoor",
				"CCleaner Backdoor",
				"CHINACHOPPER",
				"COLDJAVA",
				"China Chopper",
				"ChyNode",
				"Cobalt Strike",
				"CobaltStrike",
				"Crackshot",
				"CrossWalk",
				"CurveLast",
				"CurveLoad",
				"DAYJOB",
				"DBoxAgent",
				"DEADEYE",
				"DEADEYE.APPEND",
				"DEADEYE.EMBED",
				"DEPLOYLOG",
				"DIRTCLEANER",
				"DUSTTRAP",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"DodgeBox",
				"DragonEgg",
				"ELFSHELF",
				"EasyNight",
				"Farfli",
				"FunnySwitch",
				"Gh0st RAT",
				"Ghost RAT",
				"HDD Rootkit",
				"HDRoot",
				"HKDOOR",
				"HOMEUNIX",
				"HUI Loader",
				"HidraQ",
				"HighNoon",
				"HighNote",
				"Homux",
				"Hydraq",
				"Jorik",
				"Jumpall",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"LATELUNCH",
				"LOLBAS",
				"LOLBins",
				"LightSpy",
				"Living off the Land",
				"Lowkey",
				"McRAT",
				"MdmBot",
				"MessageTap",
				"Meterpreter",
				"Mimikatz",
				"MoonBounce",
				"MoonWalk",
				"Motnug",
				"Moudour",
				"Mydoor",
				"NTDSDump",
				"PACMAN",
				"PCRat",
				"PINEGROVE",
				"PNGRAT",
				"POISONPLUG",
				"POISONPLUG.SHADOW",
				"POTROAST",
				"PRIVATELOG",
				"PipeMon",
				"PlugX",
				"PortReuse",
				"ProxIP",
				"ROCKBOOT",
				"RbDoor",
				"RedDelta",
				"RedXOR",
				"RibDoor",
				"Roarur",
				"RouterGod",
				"SAGEHIRE",
				"SPARKLOG",
				"SQLULDR2",
				"STASHLOG",
				"SWEETCANDLE",
				"ScrambleCross",
				"Sensocode",
				"SerialVlogger",
				"ShadowHammer",
				"ShadowPad Winnti",
				"SinoChopper",
				"Skip-2.0",
				"SneakCross",
				"Sogu",
				"Speculoos",
				"Spyder",
				"StealthReacher",
				"StealthVector",
				"TERA",
				"TIDYELF",
				"TIGERPLUG",
				"TOMMYGUN",
				"TVT",
				"Thoper",
				"Voldemort",
				"WIDETONE",
				"WINNKIT",
				"WINTERLOVE",
				"Winnti",
				"WyrmSpy",
				"X-Door",
				"XDOOR",
				"XMRig",
				"XShellGhost",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"gresim",
				"njRAT",
				"pwdump",
				"xDll"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434592,
	"ts_updated_at": 1775791772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7124166c78f83ed548e492b4a1e858f7b25efaa7.pdf",
		"text": "https://archive.orkl.eu/7124166c78f83ed548e492b4a1e858f7b25efaa7.txt",
		"img": "https://archive.orkl.eu/7124166c78f83ed548e492b4a1e858f7b25efaa7.jpg"
	}
}