{ "id": "598e8db5-2da6-47f3-8c54-0a4fd71307fb", "created_at": "2026-04-06T00:19:41.643976Z", "updated_at": "2026-04-10T03:38:06.486015Z", "deleted_at": null, "sha1_hash": "8a72334ec671a4fd486c70482a182cab59418ab9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52697, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:20:52 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Syscon\n Tool: Syscon\nNames\nSyscon\nSYSCON\nSanny\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) Bots can use various methods to establish a line of communication\nbetween themselves and their command-and-control (C\u0026C) server. Usually, these are\ndone via HTTP or other TCP/IP connections. However, we recently encountered a\nbotnet that uses a more unusual method: an FTP server that, in effect, acts as a C\u0026C\nserver.\nUsing an FTP server has some advantages. It is less common, and this fact may allow it\nto slip unnoticed by administrators and researchers. However, this also leaves the C\u0026C\ntraffic open for monitoring by others, including security researchers. In addition, thanks\nto a coding mistake by the attackers, this particular backdoor does not always run the\nright commands.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Syscon\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60d69ed9-e971-40af-9ea7-658d46c130c4\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Honeybee [Unknown] 2017  \r\n  Reaper, APT 37, Ricochet Chollima, ScarCruft 2012-Mar 2025\r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60d69ed9-e971-40af-9ea7-658d46c130c4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60d69ed9-e971-40af-9ea7-658d46c130c4\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60d69ed9-e971-40af-9ea7-658d46c130c4" ], "report_names": [ "listgroups.cgi?u=60d69ed9-e971-40af-9ea7-658d46c130c4" ], "threat_actors": [ { "id": "4025d5c4-53e5-4f0c-80de-80ac6e17c25a", "created_at": "2022-10-25T16:07:23.710983Z", "updated_at": "2026-04-10T02:00:04.721992Z", "deleted_at": null, "main_name": "Honeybee", "aliases": [ "G0072" ], "source_name": "ETDA:Honeybee", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "SYSCON", "Sanny", "Syscon" ], "source_id": "ETDA", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "e3dd6bd6-ec4e-48c4-bcdf-42cd1d68a6fe", "created_at": "2023-01-06T13:46:38.983963Z", "updated_at": "2026-04-10T02:00:03.171396Z", "deleted_at": null, "main_name": "Honeybee", "aliases": [ "G0072" ], "source_name": "MISPGALAXY:Honeybee", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e204dce-1974-4051-85dc-849fcd5c1226", "created_at": "2022-10-25T15:50:23.772479Z", "updated_at": "2026-04-10T02:00:05.288825Z", "deleted_at": null, "main_name": "Honeybee", "aliases": [ "Honeybee" ], "source_name": "MITRE:Honeybee", "tools": [ "Tasklist", "cmd", "Systeminfo" ], "source_id": "MITRE", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434781, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a72334ec671a4fd486c70482a182cab59418ab9.pdf", "text": "https://archive.orkl.eu/8a72334ec671a4fd486c70482a182cab59418ab9.txt", "img": "https://archive.orkl.eu/8a72334ec671a4fd486c70482a182cab59418ab9.jpg" } }