{ "id": "cf61ffec-f96b-42f4-86b5-8b77782b0439", "created_at": "2026-04-06T00:20:18.77673Z", "updated_at": "2026-04-10T13:11:50.310706Z", "deleted_at": null, "sha1_hash": "877b51185fbe832b86dd3d88d3c04ea4f54213cf", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73374, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:45:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LokiBot\n Tool: LokiBot\nNames\nLokiBot\nLoki\nLokiPWS\nLoki.Rat\nForeIT\nCategory Malware\nType Banking trojan, Backdoor, Keylogger, Info stealer, Credential stealer, Loader\nDescription\n(Accenture) Loki Bot is a resident loader, and password and cryptocurrency wallet stealer. Loki\nBot captures passwords from browsers, as well as e-mail, FTP, SSH and poker clients.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f37100e9-04b8-40ff-a39c-fe1d24a814cc\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia\nAlienVault OTX Playbook Last change to this tool card: 14 March 2024\nDownload this tool card in JSON format\nAll groups using tool LokiBot\nChanged Name Country Observed\nAPT groups\n El Machete [Unknown] 2010-Mar 2022\n Gorgon Group 2017-Jul 2020\n Patchwork, Dropping Elephant 2013-Jun 2025\n RATicate [Unknown] 2019\n Sweed [Unknown] 2017-2019\n5 groups listed (5 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f37100e9-04b8-40ff-a39c-fe1d24a814cc\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f37100e9-04b8-40ff-a39c-fe1d24a814cc\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f37100e9-04b8-40ff-a39c-fe1d24a814cc" ], "report_names": [ "listgroups.cgi?u=f37100e9-04b8-40ff-a39c-fe1d24a814cc" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d303c77e-0110-471b-a3a6-37fce9ac848d", "created_at": "2022-10-25T15:50:23.342452Z", "updated_at": "2026-04-10T02:00:05.373848Z", "deleted_at": null, "main_name": "Machete", "aliases": [ "APT-C-43", "El Machete" ], "source_name": "MITRE:Machete", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64", "created_at": "2023-01-06T13:46:38.605117Z", "updated_at": "2026-04-10T02:00:03.03665Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "G0095", "machete-apt", "APT-C-43" ], "source_name": "MISPGALAXY:El Machete", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6", "created_at": "2022-10-25T16:07:23.576476Z", "updated_at": "2026-04-10T02:00:04.674784Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "APT-C-43", "ATK 97", "G0095", "Operation HpReact", "TAG-NS1", "TEMP.Andromeda" ], "source_name": "ETDA:El Machete", "tools": [ "El Machete", "ForeIT", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Pyark" ], "source_id": "ETDA", "reports": null }, { "id": "fe3d8dee-3bee-42e6-8f16-b6628b6189ae", "created_at": "2023-01-06T13:46:39.039285Z", "updated_at": "2026-04-10T02:00:03.193589Z", "deleted_at": null, "main_name": "SWEED", "aliases": [], "source_name": "MISPGALAXY:SWEED", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "f2c53785-fb8b-460d-ba73-7fbfba36f0f5", "created_at": "2022-10-25T16:07:24.247949Z", "updated_at": "2026-04-10T02:00:04.911034Z", "deleted_at": null, "main_name": "Sweed", "aliases": [], "source_name": "ETDA:Sweed", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "ForeIT", "Formbook", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Negasteal", "Origin Logger", "RDP", "Remote Desktop Protocol", "ZPAQ", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/877b51185fbe832b86dd3d88d3c04ea4f54213cf.pdf", "text": "https://archive.orkl.eu/877b51185fbe832b86dd3d88d3c04ea4f54213cf.txt", "img": "https://archive.orkl.eu/877b51185fbe832b86dd3d88d3c04ea4f54213cf.jpg" } }