{ "id": "672e4c8e-7126-4558-aca4-11c7702707c1", "created_at": "2026-04-06T00:15:36.633384Z", "updated_at": "2026-04-10T13:11:20.755422Z", "deleted_at": null, "sha1_hash": "84799973d3b7fca6a19e6a71b8491b35c3783e5e", "title": "Calypso RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49397, "plain_text": "Calypso RAT - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 11:37:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Calypso RAT\n Tool: Calypso RAT\nNames Calypso RAT\nCategory Malware\nType Backdoor\nDescription\n(Positive Technologies) The dropper extracts the payload as an installation BAT script and\nCAB archive, and saves it to disk. The payload inside the dropper has a magic header that the\ndropper searches for.\nThe dropper encrypts and decrypts data with a self-developed algorithm that uses CRC32 as a\npseudorandom number generator (PRNG). The algorithm performs arithmetic (addition and\nsubtraction) between the generated data and the data that needs to be encrypted or decrypted.\nNow decrypted, the payload is saved to disk at %ALLUSERSPROFILE;\\TMP_%d%d, where\nthe last two numbers are replaced by random numbers returned by the rand() function.\nDepending on the configuration, the CAB archive contains one of three possibilities: a DLL\nand encrypted shellcode, a DLL with encoded loader in the resources, or an EXE file. We were\nunable to detect any instances of the last variant.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool Calypso RAT\nChanged Name Country Observed\nAPT groups\n Calypso 2016-Aug 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2340394-4915-485e-b3f8-5aeafdb7794c\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2340394-4915-485e-b3f8-5aeafdb7794c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2340394-4915-485e-b3f8-5aeafdb7794c\r\nPage 2 of 2\n\nAPT groups Calypso 2016-Aug 2021 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2340394-4915-485e-b3f8-5aeafdb7794c" ], "report_names": [ "listgroups.cgi?u=f2340394-4915-485e-b3f8-5aeafdb7794c" ], "threat_actors": [ { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434536, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/84799973d3b7fca6a19e6a71b8491b35c3783e5e.pdf", "text": "https://archive.orkl.eu/84799973d3b7fca6a19e6a71b8491b35c3783e5e.txt", "img": "https://archive.orkl.eu/84799973d3b7fca6a19e6a71b8491b35c3783e5e.jpg" } }