{ "id": "a3ce8a58-36c3-4197-a7a4-dc82f67605a6", "created_at": "2026-04-06T00:08:56.180616Z", "updated_at": "2026-04-10T03:38:03.303165Z", "deleted_at": null, "sha1_hash": "741a1ddce846630600b9e3f22f99b85ccc87ca09", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95150, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:34:31 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool njRAT\r\n Tool: njRAT\r\nNames\r\nnjRAT\r\nBladabindi\r\nJorik\r\nCategory Malware\r\nType Backdoor, Keylogger, Credential stealer, Info stealer, Downloader, Exfiltration\r\nDescription\r\n(Carbon Black) njRAT is a Remote Access Trojan (RAT) that will silently collect and\r\nsteal sensitive information such as login credentials. It can also perform keylogger\r\nmonitoring, remote desktop control, installing additional malicious software, and many\r\nother malicious activities on the victim’s computer. In addition, njRAT is still a malware\r\nfamily that is being actively distributed via various methods such as spear-phishing,\r\nmalvertising, exploit kits and other techniques. Figure 1 shows a screenshot for the\r\nnjRAT Panel Menu.\r\nDepending on the configuration taken from the attackers in njRAT panel, the features it\r\nprovided can be used to perform malicious activities such as stealing sensitive\r\ndata/information, disabling security software, install additional malicious payload to the\r\nvictim’s computer and many more harmful actions. Upon the execution of njRAT, it will\r\nconnect to the command and control (C\u0026C) server, allowing the attacker to perform\r\nmalicious activity on the victim’s machine.\r\nOther than that, it will create copies of itself in the %Temp% folder and rename itself by\r\nmasquerading as a legitimate binary. In this example it was renamed to ‘svhost.exe’\r\nwhich is trying to imitate ‘svchost.exe’. Furthermore, it tries to hide its persistence from\r\nthe user by setting the file attributes as ‘Hidden’ onto the original and the copy of the\r\nbinary.\r\nMoreover, it will also make a copy of itself in the\r\n“%AppData%\\Microsoft\\Windows\\Start Menu” folder and create or modify the registry\r\nkey for persistence to ensure it will be executed on startup. The following event logs\r\nfrom CB Threat Hunter shown below display the relevant events.\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a442ea06-de48-42e2-beb3-7f2ce7a438b5\r\nPage 1 of 3\n\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 20 January 2021\nDownload this tool card in JSON format\nAll groups using tool njRAT\nChanged Name Country Observed\nAPT groups\n Aggah [Unknown] 2018-Jun 2022\n APT 41 2012-Jul 2025\n Aquatic Panda 2020\n Blind Eagle 2018-Nov 2024\n Gorgon Group 2017-Jul 2020\n Group5 2015\n LazyScripter [Unknown] 2018\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a442ea06-de48-42e2-beb3-7f2ce7a438b5\nPage 2 of 3\n\nMolerats, Extreme Jackal, Gaza Cybergang [Gaza] 2012-Jul 2023  \r\n  OilAlpha 2022  \r\n  Operation Comando [Unknown] 2018  \r\n  Operation Epic Manchego [Unknown] 2020  \r\n  Operation Layover 2013  \r\n  Operation Spalax [Unknown] 2020  \r\n  RATicate [Unknown] 2019  \r\n  RedAlpha 2015-2021  \r\n  RevengeHotels [Unknown] 2015  \r\n  SideCopy 2019-Mar 2025\r\n  Sphinx [Unknown] 2014  \r\n      ↳ Subgroup: Goldmouse, APT-C-27 2014  \r\n      ↳ Subgroup: Pat Bear, APT-C-37 2015  \r\n  TA558 [Unknown] 2018-Jun 2023  \r\n  Transparent Tribe, APT 36 2013-Mar 2025  \r\n22 groups listed (22 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a442ea06-de48-42e2-beb3-7f2ce7a438b5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a442ea06-de48-42e2-beb3-7f2ce7a438b5\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a442ea06-de48-42e2-beb3-7f2ce7a438b5" ], "report_names": [ "listgroups.cgi?u=a442ea06-de48-42e2-beb3-7f2ce7a438b5" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "ca3acede-fb02-418a-8f2b-a73d8c89eda7", "created_at": "2023-06-23T02:04:34.425347Z", "updated_at": "2026-04-10T02:00:04.787571Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [ "TAG-41", "TAG-62" ], "source_name": "ETDA:OilAlpha", "tools": [ "Bladabindi", "CypherRat", "Jorik", "SpyMax", "SpyNote", "SpyNote RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "9aa9b489-a297-4dbd-8601-8fc0370201a6", "created_at": "2022-10-25T16:07:23.696796Z", "updated_at": "2026-04-10T02:00:04.71508Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "ETDA:Group5", "tools": [ "Atros2.CKPN", "Bladabindi", "DroidJack", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bfae615f-cb9c-479c-b97d-ba282c322db3", "created_at": "2022-10-25T16:07:24.123308Z", "updated_at": "2026-04-10T02:00:04.874176Z", "deleted_at": null, "main_name": "RevengeHotels", "aliases": [], "source_name": "ETDA:RevengeHotels", "tools": [ "888 RAT", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Revenge RAT", "RevengeRAT", "Revetrat", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "4f5da0b4-5d47-4ae4-87cb-dfcb3c3524ae", "created_at": "2022-10-25T16:07:23.96921Z", "updated_at": "2026-04-10T02:00:04.812941Z", "deleted_at": null, "main_name": "Operation Layover", "aliases": [], "source_name": "ETDA:Operation Layover", "tools": [ "AsyncRAT", "Bladabindi", "CyberGate", "CyberGate RAT", "Jorik", "Rebhip", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cf0704ab-99e4-44d7-96d9-3cba91339229", "created_at": "2022-10-25T15:50:23.485375Z", "updated_at": "2026-04-10T02:00:05.332806Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "Group5" ], "source_name": "MITRE:Group5", "tools": [ "njRAT", "NanoCore" ], "source_id": "MITRE", "reports": null }, { "id": "e819f7c1-855b-4834-b30c-493832336ddb", "created_at": "2022-10-25T16:07:23.939418Z", "updated_at": "2026-04-10T02:00:04.796807Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "ETDA:Operation Comando", "tools": [ "AsyncRAT", "Atros2.CKPN", "Bladabindi", "CapturaTela", "Jorik", "LimeRAT", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Socmer", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "094d8210-4c64-4457-ad97-a94fc7af7630", "created_at": "2023-01-06T13:46:38.98103Z", "updated_at": "2026-04-10T02:00:03.170376Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "MISPGALAXY:Group5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19935e32-f1a5-462d-8934-8b1c3bf3b5f2", "created_at": "2022-10-25T16:07:23.36465Z", "updated_at": "2026-04-10T02:00:04.565476Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "G0143" ], "source_name": "ETDA:Aquatic Panda", "tools": [ "Agentemis", "Bladabindi", "Cobalt Strike", "CobaltStrike", "Fishmaster", "JollyJellyfish", "Jorik", "cobeacon", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b20281dd-8cc4-4284-b85c-f98c7e09ae48", "created_at": "2022-10-25T15:50:23.642844Z", "updated_at": "2026-04-10T02:00:05.392724Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "LazyScripter" ], "source_name": "MITRE:LazyScripter", "tools": [ "Remcos", "QuasarRAT", "njRAT", "ngrok", "Koadic", "KOCTOPUS" ], "source_id": "MITRE", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "f1c14cad-15c0-4ae3-be08-4226044aa8cb", "created_at": "2022-10-25T16:07:23.954439Z", "updated_at": "2026-04-10T02:00:04.806247Z", "deleted_at": null, "main_name": "Operation Epic Manchego", "aliases": [], "source_name": "ETDA:Operation Epic Manchego", "tools": [ "AZORult", "AgenTesla", "Agent Tesla", "AgentTesla", "Bladabindi", "Formbook", "Jorik", "Matiex", "Negasteal", "Origin Logger", "PuffStealer", "Rultazo", "ZPAQ", "njRAT", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "31a4f4ad-1aa7-48c2-8b16-58d48879644c", "created_at": "2024-02-06T02:00:04.13577Z", "updated_at": "2026-04-10T02:00:03.576453Z", "deleted_at": null, "main_name": "RevengeHotels", "aliases": [], "source_name": "MISPGALAXY:RevengeHotels", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c2cc9aa5-1853-4de1-8849-cb3f28c7728e", "created_at": "2022-10-25T16:07:24.256045Z", "updated_at": "2026-04-10T02:00:04.912815Z", "deleted_at": null, "main_name": "Goldmouse", "aliases": [ "APT-C-27", "ATK 80", "Golden Rat", "Goldmouse" ], "source_name": "ETDA:Goldmouse", "tools": [ "Bladabindi", "GoldenRAT", "Jorik", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2c385a7d-0217-46d8-a451-29ac6fe58aaf", "created_at": "2023-01-06T13:46:38.937468Z", "updated_at": "2026-04-10T02:00:03.151838Z", "deleted_at": null, "main_name": "APT-C-27", "aliases": [ "Golden RAT", "ATK80", "GoldMouse" ], "source_name": "MISPGALAXY:APT-C-27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9381a9dc-8d8e-453a-9fe5-301136ff0f83", "created_at": "2023-01-06T13:46:38.775762Z", "updated_at": "2026-04-10T02:00:03.096032Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "MISPGALAXY:RedAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0769c188-62ce-44ee-8e9d-1067f3d3c083", "created_at": "2022-10-25T16:07:24.259063Z", "updated_at": "2026-04-10T02:00:04.913621Z", "deleted_at": null, "main_name": "Pat Bear", "aliases": [ "APT-C-37", "Pat Bear", "Racquet Bear" ], "source_name": "ETDA:Pat Bear", "tools": [ "Bladabindi", "CypherRat", "DroidJack", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Jorik", "Kognito", "Njw0rm", "SSLove RAT", "SpyNote", "SpyNote RAT", "WSHRAT", "dinihou", "dunihi", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "712fc9fa-4283-431b-882c-5e0de9c12452", "created_at": "2022-10-25T16:07:23.770209Z", "updated_at": "2026-04-10T02:00:04.745132Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "G0140" ], "source_name": "ETDA:LazyScripter", "tools": [ "Adwind", "Adwind RAT", "Alien Spy", "AlienSpy", "Bladabindi", "CinaRAT", "EmPyre", "EmpireProject", "Empoder", "Frutas", "Gussdoor", "Invoke-Ngrok", "JBifrost RAT", "JSocket", "Jorik", "KOCTOPUS", "Koadic", "Luminosity RAT", "LuminosityLink", "Nishang", "PowerShell Empire", "Quasar RAT", "QuasarRAT", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "RuRAT", "Sockrat", "Socmer", "Trojan.Maljava", "UnReCoM", "Unknown RAT", "Unrecom", "Yggdrasil", "jBiFrost", "jConnectPro RAT", "jFrutas", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cc8271a3-471f-4b8c-9da6-7d50f8ccabaa", "created_at": "2022-10-25T16:07:24.107066Z", "updated_at": "2026-04-10T02:00:04.868213Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "ETDA:RedAlpha", "tools": [ "AngryRebel", "Bladabindi", "FF-RAT", "Farfli", "FormerFirstRAT", "Gh0st RAT", "Ghost RAT", "Jorik", "Moudour", "Mydoor", "NetHelp Infostealer", "NetHelp Striker", "PCRat", "RedAlpha", "ffrat", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3eea09-ce30-4cfa-ae3a-b5992c4b81f8", "created_at": "2022-10-25T15:50:23.441443Z", "updated_at": "2026-04-10T02:00:05.263145Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "Aquatic Panda" ], "source_name": "MITRE:Aquatic Panda", "tools": [ "Wevtutil", "Winnti for Windows", "njRAT", "Cobalt Strike", "ShadowPad", "Winnti for Linux" ], "source_id": "MITRE", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e1e83b71-854a-4ddf-82ed-141c1d151c3c", "created_at": "2023-01-06T13:46:38.934536Z", "updated_at": "2026-04-10T02:00:03.150803Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "MISPGALAXY:Operation Comando", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9802c44a-36d9-4e1e-9f37-76b89b3b61b0", "created_at": "2023-11-07T02:00:07.10244Z", "updated_at": "2026-04-10T02:00:03.408827Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [], "source_name": "MISPGALAXY:OilAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434136, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/741a1ddce846630600b9e3f22f99b85ccc87ca09.pdf", "text": "https://archive.orkl.eu/741a1ddce846630600b9e3f22f99b85ccc87ca09.txt", "img": "https://archive.orkl.eu/741a1ddce846630600b9e3f22f99b85ccc87ca09.jpg" } }