{ "id": "d481c9a4-ee14-45ae-be74-03db45ffd6a3", "created_at": "2026-04-06T00:19:17.563412Z", "updated_at": "2026-04-10T03:29:58.947307Z", "deleted_at": null, "sha1_hash": "7a76cf17ff929f27991e161975e686c3db83adb2", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52037, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:05:46 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MoonWind RAT\n Tool: MoonWind RAT\nNames\nMoonWind RAT\nMoonWind\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer\nDescription\n(Palo Alto) The malware proceeds to collect the following victim information:\n• Hostname\n• Username\n• Windows version\n• IP address\n• Current time\n• RAM amount\n• Number of total drives\n• Number of removable drives\n• Unique victim identifier\nIn total, MoonWind has 73 possibly commands that it can accept.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool MoonWind RAT\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=14592f43-472d-41b2-9f29-7994c9a473fa\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Nightshade Panda, APT 9, Group 27 2013-Sep 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=14592f43-472d-41b2-9f29-7994c9a473fa\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=14592f43-472d-41b2-9f29-7994c9a473fa\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=14592f43-472d-41b2-9f29-7994c9a473fa" ], "report_names": [ "listgroups.cgi?u=14592f43-472d-41b2-9f29-7994c9a473fa" ], "threat_actors": [ { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e79324a2-bdae-4dc5-9421-578a59045288", "created_at": "2022-10-25T16:07:23.906087Z", "updated_at": "2026-04-10T02:00:04.784657Z", "deleted_at": null, "main_name": "Nightshade Panda", "aliases": [ "APT 9", "FlowerLady", "FlowerShow", "Group 27", "Nightshade Panda", "Operation Seven Pointed Dagger" ], "source_name": "ETDA:Nightshade Panda", "tools": [ "3102 RAT", "9002 RAT", "Agent.dhwf", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "EvilGrab", "EvilGrab RAT", "Gen:Trojan.Heur.PT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "MoonWind", "MoonWind RAT", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Vidgrab", "Wmonder", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434757, "ts_updated_at": 1775791798, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a76cf17ff929f27991e161975e686c3db83adb2.pdf", "text": "https://archive.orkl.eu/7a76cf17ff929f27991e161975e686c3db83adb2.txt", "img": "https://archive.orkl.eu/7a76cf17ff929f27991e161975e686c3db83adb2.jpg" } }