{ "id": "7c659b1d-3142-4515-a5ce-7de2bf9bd555", "created_at": "2026-04-06T00:13:56.533785Z", "updated_at": "2026-04-10T03:36:33.508469Z", "deleted_at": null, "sha1_hash": "738840aea0ce723ee998b6d61d6f72be5bf335f9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49896, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:36:19 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TONEINS\r\n Tool: TONEINS\r\nNames TONEINS\r\nCategory Malware\r\nType Dropper, Loader\r\nDescription\r\n(Trend Micro) Trojan.Win32.TONEINS is the installer for TONESHELL backdoors. The\r\ninstaller drops the TONESHELL malware to the %PUBLIC% folder and establishes the\r\npersistence for it. TONEINS malware usually comes in the lure archives, and in most cases,\r\nthe name of the TONEINS DLL is libcef.dll. The malicious routine is triggered via calling its\r\nexport function cef_api_hash.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\u003e\r\nLast change to this tool card: 19 November 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool TONEINS\r\nChanged Name Country Observed\r\nAPT groups\r\n  CeranaKeeper 2022-2023  \r\n  Mustang Panda, Bronze President 2012-Jun 2025  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7259ece1-262f-4880-baa1-8a4e0d0f6752\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7259ece1-262f-4880-baa1-8a4e0d0f6752\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7259ece1-262f-4880-baa1-8a4e0d0f6752" ], "report_names": [ "listgroups.cgi?u=7259ece1-262f-4880-baa1-8a4e0d0f6752" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7e75b11d-f74c-4721-958e-f5a831ae85dc", "created_at": "2024-10-25T02:02:07.623446Z", "updated_at": "2026-04-10T02:00:04.608517Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "ETDA:CeranaKeeper", "tools": [ "ClaimLoader", "PUBLOAD", "TONEINS", "TONESHELL" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "eeea8091-668c-4e89-9c67-e688fd599365", "created_at": "2024-10-08T02:00:04.464686Z", "updated_at": "2026-04-10T02:00:03.723141Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "MISPGALAXY:CeranaKeeper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434436, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/738840aea0ce723ee998b6d61d6f72be5bf335f9.pdf", "text": "https://archive.orkl.eu/738840aea0ce723ee998b6d61d6f72be5bf335f9.txt", "img": "https://archive.orkl.eu/738840aea0ce723ee998b6d61d6f72be5bf335f9.jpg" } }