Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 18:59:29 UTC
 APT group: Rancor
Names
Rancor (Palo Alto)
Rancor Group (Palo Alto)
Rancor Taurus (Palo Alto)
G0075 (MITRE)
Country China
Motivation Information theft and espionage
First seen 2017
Description
(Palo Alto) Throughout 2017 and 2018 Unit 42 has been tracking and observing a series
of highly targeted attacks focused in South East Asia, building on our research into the
KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the
same set of attackers using previously unknown malware families. In addition, these
attacks appear to be highly targeted in their distribution of the malware used, as well as
the targets chosen. Based on these factors, Unit 42 believes the attackers behind these
attacks are conducting their campaigns for espionage purposes.
We believe this group is previously unidentified and therefore have we have dubbed it
“Rancor”. The Rancor group’s attacks use two primary malware families which we
describe in depth later in this blog and are naming DDKONG and PLAINTEE.
DDKONG is used throughout the campaign and PLAINTEE appears to be new addition
to these attackers’ toolkit.
Kaspersky found connections between this group and DragonOK.
Observed
Sectors: Government and political entities.
Countries: Cambodia, Singapore, Vietnam and Southeast Asia.
Tools used
8.t Dropper, certutil, Cobalt Strike, DDKONG, Derusbi, Dudell, ExDudell, KHRAT,
PLAINTEE.
Information https://apt.etda.or.th/cgi-bin/showcard.cgi?u=020d538c-5250-46d8-9713-e739536cdd7e
Page 1 of 2

MITRE ATT&CK Playbook Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=020d538c-5250-46d8-9713-e739536cdd7e
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=020d538c-5250-46d8-9713-e739536cdd7e
Page 2 of 2