{
	"id": "aa8ab332-e651-4f43-8dec-fd202f430331",
	"created_at": "2026-04-06T00:15:26.074951Z",
	"updated_at": "2026-04-10T03:30:10.790991Z",
	"deleted_at": null,
	"sha1_hash": "8a7454a2946220e10d1ad75e6df65e95fc0fe68a",
	"title": "NetHelp Infostealer - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48563,
	"plain_text": "NetHelp Infostealer - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 16:33:44 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NetHelp Infostealer\n Tool: NetHelp Infostealer\nNames\nNetHelp Infostealer\nNetHelp Striker\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Recorded Future) The NetHelp payload was only designed to work as a service (a persistence\nmethod established by the audio dropper of matching bitness). The payload dynamically links\nAPIs at runtime via GetProcAddress and LoadLibrary.\nThe implant simultaneously relied on two methods of communication: creating a separate\nthread with an open socket to the server on port 80, as well as issuing POST requests to the C2\nserver with the specific User-Agent.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool NetHelp Infostealer\nChanged Name Country Observed\nAPT groups\n RedAlpha 2015-2021\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7db71641-766e-4bfb-90a8-2b7626e526e7\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7db71641-766e-4bfb-90a8-2b7626e526e7\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7db71641-766e-4bfb-90a8-2b7626e526e7\r\nPage 2 of 2\n\nAPT groups  RedAlpha 2015-2021 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7db71641-766e-4bfb-90a8-2b7626e526e7"
	],
	"report_names": [
		"listgroups.cgi?u=7db71641-766e-4bfb-90a8-2b7626e526e7"
	],
	"threat_actors": [
		{
			"id": "9381a9dc-8d8e-453a-9fe5-301136ff0f83",
			"created_at": "2023-01-06T13:46:38.775762Z",
			"updated_at": "2026-04-10T02:00:03.096032Z",
			"deleted_at": null,
			"main_name": "RedAlpha",
			"aliases": [
				"DeepCliff",
				"Red Dev 3"
			],
			"source_name": "MISPGALAXY:RedAlpha",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cc8271a3-471f-4b8c-9da6-7d50f8ccabaa",
			"created_at": "2022-10-25T16:07:24.107066Z",
			"updated_at": "2026-04-10T02:00:04.868213Z",
			"deleted_at": null,
			"main_name": "RedAlpha",
			"aliases": [
				"DeepCliff",
				"Red Dev 3"
			],
			"source_name": "ETDA:RedAlpha",
			"tools": [
				"AngryRebel",
				"Bladabindi",
				"FF-RAT",
				"Farfli",
				"FormerFirstRAT",
				"Gh0st RAT",
				"Ghost RAT",
				"Jorik",
				"Moudour",
				"Mydoor",
				"NetHelp Infostealer",
				"NetHelp Striker",
				"PCRat",
				"RedAlpha",
				"ffrat",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434526,
	"ts_updated_at": 1775791810,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8a7454a2946220e10d1ad75e6df65e95fc0fe68a.pdf",
		"text": "https://archive.orkl.eu/8a7454a2946220e10d1ad75e6df65e95fc0fe68a.txt",
		"img": "https://archive.orkl.eu/8a7454a2946220e10d1ad75e6df65e95fc0fe68a.jpg"
	}
}