{ "id": "6c7b7a09-4624-4e41-a03e-aa068fcb0485", "created_at": "2026-04-06T00:08:33.125395Z", "updated_at": "2026-04-10T03:36:13.872276Z", "deleted_at": null, "sha1_hash": "8807d7f3dd3cf4770f713e4b956556ee38c8a6fc", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52575, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:05:57 UTC\n Tool: Daserf\nNames\nDaserf\nMuirim\nNioupale\nCategory Malware\nType Backdoor\nDescription\n(LAC) Daserf is a type of malware that features a backdoor which is also known as a\n'Nioupale.'\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool Daserf\nChanged Name Country Observed\nAPT groups\n Bronze Butler, Tick, RedBaldNight, Stalker Panda 2006-Apr 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=705a7377-5ba7-4704-b156-2adbce0e3de2\nPage 1 of 2\n\n↑\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=705a7377-5ba7-4704-b156-2adbce0e3de2\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=705a7377-5ba7-4704-b156-2adbce0e3de2\r\nPage 2 of 2\n\nAPT groups Bronze Butler, Tick, RedBaldNight, Stalker Panda 2006-Apr 2021\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=705a7377-5ba7-4704-b156-2adbce0e3de2" ], "report_names": [ "listgroups.cgi?u=705a7377-5ba7-4704-b156-2adbce0e3de2" ], "threat_actors": [ { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434113, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8807d7f3dd3cf4770f713e4b956556ee38c8a6fc.pdf", "text": "https://archive.orkl.eu/8807d7f3dd3cf4770f713e4b956556ee38c8a6fc.txt", "img": "https://archive.orkl.eu/8807d7f3dd3cf4770f713e4b956556ee38c8a6fc.jpg" } }