{
	"id": "fe128165-affc-4b0c-9a9d-cb7977205d28",
	"created_at": "2026-04-06T00:07:00.64308Z",
	"updated_at": "2026-04-10T03:25:29.675686Z",
	"deleted_at": null,
	"sha1_hash": "7aa9c554fe227a9f5d4c9be4604a72c53435ff7b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50006,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:44:45 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PNGLoad\n Tool: PNGLoad\nNames PNGLoad\nCategory Malware\nType Loader\nDescription\n(ESET) PNGLoad is the second-stage payload deployed by Worok on compromised systems\nand, according to ESET telemetry, loaded either by CLRLoad or PowHeartBeat. While we\ndon’t see any code in PowHeartBeat that directly loads PNGLoad, the backdoor has the\ncapabilities to download and execute additional payloads from the C\u0026C server, which is likely\nhow the attackers have deployed PNGLoad on systems compromised with PowHeartBeat.\nPNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-\nbit .NET executable – obfuscated with .NET Reactor – that masquerades as legitimate\nsoftware. For example, Figure 11 shows the CLR headers of a sample masquerading as a\nWinRAR DLL.\nInformation Malpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool PNGLoad\nChanged Name Country Observed\nAPT groups\n Worok 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9459882-ea88-44c9-aaa5-b4f51918e0f5\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9459882-ea88-44c9-aaa5-b4f51918e0f5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9459882-ea88-44c9-aaa5-b4f51918e0f5\r\nPage 2 of 2\n\nAPT groups  Worok 2020 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9459882-ea88-44c9-aaa5-b4f51918e0f5"
	],
	"report_names": [
		"listgroups.cgi?u=f9459882-ea88-44c9-aaa5-b4f51918e0f5"
	],
	"threat_actors": [
		{
			"id": "a7e5d6c0-5f7e-4d1c-87fa-bbf65b4e65b9",
			"created_at": "2022-10-25T16:07:24.42571Z",
			"updated_at": "2026-04-10T02:00:04.984213Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "ETDA:Worok",
			"tools": [
				"CLRLoad",
				"Mimikatz",
				"NBTscan",
				"PNGLoad",
				"PowHeartBeat",
				"SAMRID",
				"nbtscan",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e294737b-6aa7-480e-841d-cbed102c356c",
			"created_at": "2023-07-20T02:00:08.787855Z",
			"updated_at": "2026-04-10T02:00:03.368575Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "MISPGALAXY:Worok",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434020,
	"ts_updated_at": 1775791529,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7aa9c554fe227a9f5d4c9be4604a72c53435ff7b.pdf",
		"text": "https://archive.orkl.eu/7aa9c554fe227a9f5d4c9be4604a72c53435ff7b.txt",
		"img": "https://archive.orkl.eu/7aa9c554fe227a9f5d4c9be4604a72c53435ff7b.jpg"
	}
}