{ "id": "6818d523-9815-48ed-a6af-cda69a2584c8", "created_at": "2026-04-06T00:15:26.732109Z", "updated_at": "2026-04-10T13:12:09.53263Z", "deleted_at": null, "sha1_hash": "79955f719c71301c473c5e019ede48c7d6e5bce7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53630, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:15:04 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Datper\n Tool: Datper\nNames Datper\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(JPCERT/CC) Datper communicates with a C\u0026C server using HTTP protocol and\noperates based on the received commands. One of the characteristics is that it only\ncommunicates within a specific period of time.\nThe malware receives a command as a response to the above HTTP request, and it\nexecutes functions based on the commands. Functions that Datper can execute are the\nfollowing:\n• Obtain host names, OS versions etc.\n• Obtain drive information\n• Configure communication intervals\n• Sleep for a set period of time\n• Execute a program\n• Operate on files (Obtain file lists, download, upload, delete)\n• Execute shell commands\nAfter executing these functions, Datper sends the results to a C\u0026C server.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26cad6ce-54da-4ad1-8f06-24d59dd4603d\nPage 1 of 2\n\nAll groups using tool Datper\r\nChanged Name Country Observed\r\nAPT groups\r\n  Bronze Butler, Tick, RedBaldNight, Stalker Panda 2006-Apr 2021\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26cad6ce-54da-4ad1-8f06-24d59dd4603d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26cad6ce-54da-4ad1-8f06-24d59dd4603d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26cad6ce-54da-4ad1-8f06-24d59dd4603d" ], "report_names": [ "listgroups.cgi?u=26cad6ce-54da-4ad1-8f06-24d59dd4603d" ], "threat_actors": [ { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79955f719c71301c473c5e019ede48c7d6e5bce7.pdf", "text": "https://archive.orkl.eu/79955f719c71301c473c5e019ede48c7d6e5bce7.txt", "img": "https://archive.orkl.eu/79955f719c71301c473c5e019ede48c7d6e5bce7.jpg" } }