{ "id": "43e9cbee-1c54-404b-8ddb-163442d2e3b2", "created_at": "2026-04-06T01:29:51.073953Z", "updated_at": "2026-04-10T03:38:03.341129Z", "deleted_at": null, "sha1_hash": "797af69396d1d4da97ca55245c23a2ba7a39c48b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47246, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:43:51 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool JhoneRAT\r\n Tool: JhoneRAT\r\nNames JhoneRAT\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Downloader, Dropper\r\nDescription\r\n(Talos) Today, Cisco Talos is unveiling the details of a new RAT we have identified we're\r\ncalling 'JhoneRAT.' This new RAT is dropped to the victims via malicious Microsoft\r\nOffice documents. The dropper, along with the Python RAT, attempts to gather\r\ninformation on the victim's machine and then uses multiple cloud services: Google Drive,\r\nTwitter, ImgBB and Google Forms. The RAT attempts to download additional payloads\r\nand upload the information gathered during the reconnaissance phase. This particular RAT\r\nattempts to target a very specific set of Arabic-speaking countries. The filtering is\r\nperformed by checking the keyboard layout of the infected systems.\r\nInformation \u003chttps://blog.talosintelligence.com/2020/01/jhonerat.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:JhoneRAT\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool JhoneRAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Molerats, Extreme Jackal, Gaza Cybergang [Gaza] 2012-Jul 2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=21ed6073-21b0-41df-ba0a-312e06d1992c\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=21ed6073-21b0-41df-ba0a-312e06d1992c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=21ed6073-21b0-41df-ba0a-312e06d1992c\r\nPage 2 of 2\n\nAPT groups Molerats, Extreme Jackal, Gaza Cybergang [Gaza] 2012-Jul 2023 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=21ed6073-21b0-41df-ba0a-312e06d1992c" ], "report_names": [ "listgroups.cgi?u=21ed6073-21b0-41df-ba0a-312e06d1992c" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438991, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/797af69396d1d4da97ca55245c23a2ba7a39c48b.pdf", "text": "https://archive.orkl.eu/797af69396d1d4da97ca55245c23a2ba7a39c48b.txt", "img": "https://archive.orkl.eu/797af69396d1d4da97ca55245c23a2ba7a39c48b.jpg" } }