{ "id": "24c2819a-5522-40ec-b0e3-ff68cfbf5005", "created_at": "2026-04-06T00:18:41.336804Z", "updated_at": "2026-04-10T03:34:17.22871Z", "deleted_at": null, "sha1_hash": "83611c2cedc340d58c874fcec5e1c7d0a31acd9d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53565, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:58:33 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Mongall\n Tool: Mongall\nNames Mongall\nCategory Malware\nType Backdoor\nDescription\n(SentinelLabs) Mongall is a small backdoor going back to 2013, first described in a\nreport by ESET. According to the report, the threat actor was trying to target the\nTelecommunications Department and the Vietnamese government. More recently, Aoqin\nDragon has been reported targeting Southeast Asia with an upgraded Mongall\nencryption protocol and Themida packer.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Mongall\nChanged Name Country Observed\nAPT groups\n Aoqin Dragon 2013\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4d5089f2-9389-496e-a4cd-4e45af89f928\nPage 1 of 2\n\nDragonOK 2015-Jan 2017  \r\n  Moafee 2014  \r\n3 groups listed (3 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4d5089f2-9389-496e-a4cd-4e45af89f928\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4d5089f2-9389-496e-a4cd-4e45af89f928\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4d5089f2-9389-496e-a4cd-4e45af89f928" ], "report_names": [ "listgroups.cgi?u=4d5089f2-9389-496e-a4cd-4e45af89f928" ], "threat_actors": [ { "id": "d7226f71-df4a-405e-9252-f8c4108303ae", "created_at": "2022-10-25T15:50:23.325171Z", "updated_at": "2026-04-10T02:00:05.413071Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "Moafee" ], "source_name": "MITRE:Moafee", "tools": [ "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "5cd2e600-e100-4159-88ce-bda7b98d6bb4", "created_at": "2022-10-27T08:27:13.089186Z", "updated_at": "2026-04-10T02:00:05.284285Z", "deleted_at": null, "main_name": "Aoqin Dragon", "aliases": [ "Aoqin Dragon" ], "source_name": "MITRE:Aoqin Dragon", "tools": [ "Mongall", "Heyoka Backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "5a07c7a3-f12a-4518-b078-de7da2fb6b5e", "created_at": "2022-10-25T16:07:23.312387Z", "updated_at": "2026-04-10T02:00:04.536656Z", "deleted_at": null, "main_name": "Aoqin Dragon", "aliases": [ "G1007", "UNC94" ], "source_name": "ETDA:Aoqin Dragon", "tools": [ "Mongall" ], "source_id": "ETDA", "reports": null }, { "id": "c3c08eb0-cced-43ab-b126-fbe0c39a0698", "created_at": "2022-10-25T16:07:23.872885Z", "updated_at": "2026-04-10T02:00:04.767193Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "G0002" ], "source_name": "ETDA:Moafee", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "Mongall", "NFlog", "NewCT2", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "abe60a4d-d2a5-4c13-97ff-8625a68b205b", "created_at": "2023-01-06T13:46:39.457794Z", "updated_at": "2026-04-10T02:00:03.335805Z", "deleted_at": null, "main_name": "Aoqin Dragon", "aliases": [ "UNC94" ], "source_name": "MISPGALAXY:Aoqin Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434721, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83611c2cedc340d58c874fcec5e1c7d0a31acd9d.pdf", "text": "https://archive.orkl.eu/83611c2cedc340d58c874fcec5e1c7d0a31acd9d.txt", "img": "https://archive.orkl.eu/83611c2cedc340d58c874fcec5e1c7d0a31acd9d.jpg" } }