{
	"id": "6bd0b7d4-12aa-419f-b967-65c272921298",
	"created_at": "2026-04-06T01:30:09.658513Z",
	"updated_at": "2026-04-10T13:12:24.225974Z",
	"deleted_at": null,
	"sha1_hash": "73a4a314a007043310f8f352b7805218bc231ad0",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49031,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:17:41 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LONGRUN\r\n Tool: LONGRUN\r\nNames LONGRUN\r\nCategory Malware\r\nType Backdoor, Info stealer, Exfiltration\r\nDescription\r\nLONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide\r\nthe attackers with a custom interactive shell. It supports file uploads and downloads, and\r\nexecuting arbitrary commands on the compromised machine. When LONGRUN executes, it\r\nfirst loads configuration data stored as an obfuscated string inside the PE resource section. The\r\ndistinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding\r\nalgorithm. When the configuration data string is decoded it is parsed and treated as an IP and\r\nport number. The malware then connects to the host and begins interacting with it over a\r\ncustom protocol.\r\nInformation \u003chttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool LONGRUN\r\nChanged Name Country Observed\r\nAPT groups\r\n  Comment Crew, APT 1 2006-May 2018\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7f5652d8-d82d-4298-ad2d-effcb67444ae\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7f5652d8-d82d-4298-ad2d-effcb67444ae\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7f5652d8-d82d-4298-ad2d-effcb67444ae"
	],
	"report_names": [
		"listgroups.cgi?u=7f5652d8-d82d-4298-ad2d-effcb67444ae"
	],
	"threat_actors": [
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b",
			"created_at": "2022-10-25T16:07:23.480196Z",
			"updated_at": "2026-04-10T02:00:04.626125Z",
			"deleted_at": null,
			"main_name": "Comment Crew",
			"aliases": [
				"APT 1",
				"BrownFox",
				"Byzantine Candor",
				"Byzantine Hades",
				"Comment Crew",
				"Comment Panda",
				"G0006",
				"GIF89a",
				"Group 3",
				"Operation Oceansalt",
				"Operation Seasalt",
				"Operation Siesta",
				"Shanghai Group",
				"TG-8223"
			],
			"source_name": "ETDA:Comment Crew",
			"tools": [
				"Auriga",
				"Cachedump",
				"Chymine",
				"CookieBag",
				"Darkmoon",
				"GDOCUPLOAD",
				"GLOOXMAIL",
				"GREENCAT",
				"Gen:Trojan.Heur.PT",
				"GetMail",
				"Hackfase",
				"Hacksfase",
				"Helauto",
				"Kurton",
				"LETSGO",
				"LIGHTBOLT",
				"LIGHTDART",
				"LOLBAS",
				"LOLBins",
				"LONGRUN",
				"Living off the Land",
				"Lslsass",
				"MAPIget",
				"ManItsMe",
				"Mimikatz",
				"MiniASP",
				"Oceansalt",
				"Pass-The-Hash Toolkit",
				"Poison Ivy",
				"ProcDump",
				"Riodrv",
				"SPIVY",
				"Seasalt",
				"ShadyRAT",
				"StarsyPound",
				"TROJAN.COOKIES",
				"TROJAN.FOXY",
				"TabMsgSQL",
				"Tarsip",
				"Trojan.GTALK",
				"WebC2",
				"WebC2-AdSpace",
				"WebC2-Ausov",
				"WebC2-Bolid",
				"WebC2-Cson",
				"WebC2-DIV",
				"WebC2-GreenCat",
				"WebC2-Head",
				"WebC2-Kt3",
				"WebC2-Qbp",
				"WebC2-Rave",
				"WebC2-Table",
				"WebC2-UGX",
				"WebC2-Yahoo",
				"Wordpress Bruteforcer",
				"bangat",
				"gsecdump",
				"pivy",
				"poisonivy",
				"pwdump",
				"zxdosml"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439009,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73a4a314a007043310f8f352b7805218bc231ad0.pdf",
		"text": "https://archive.orkl.eu/73a4a314a007043310f8f352b7805218bc231ad0.txt",
		"img": "https://archive.orkl.eu/73a4a314a007043310f8f352b7805218bc231ad0.jpg"
	}
}