{
	"id": "a7c6ca12-7fe6-43cc-a26b-bfbc59e39c16",
	"created_at": "2026-04-06T00:15:07.035759Z",
	"updated_at": "2026-04-10T03:29:58.259045Z",
	"deleted_at": null,
	"sha1_hash": "8aea60d53b7093e063ec07a70e25a96547d545e7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54746,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:47:41 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Asruex\n Tool: Asruex\nNames Asruex\nCategory Malware\nType Backdoor, Worm\nDescription\n(Trend Micro) Since it first emerged in 2015, Asruex has been known for its backdoor\ncapabilities and connection to the spyware DarkHotel. However, when we encountered\nAsruex in a PDF file, we found that a variant of the malware can also act as an infector\nparticularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883,\nwhich inject code in Word and PDF files respectively.\nThe use of old, patched vulnerabilities could hint that the variant was devised knowing\nthat it can affect targets who have been using older versions of Adobe Reader (versions\n9.x up to before 9.4) and Acrobat (versions 8.x up to before 8.2.5) on Windows and Mac\nOS X.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Asruex\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=39c65a96-a0e8-42fa-80d5-5d36c0be61c3\nPage 1 of 2\n\nDarkHotel 2007-2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=39c65a96-a0e8-42fa-80d5-5d36c0be61c3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=39c65a96-a0e8-42fa-80d5-5d36c0be61c3\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=39c65a96-a0e8-42fa-80d5-5d36c0be61c3"
	],
	"report_names": [
		"listgroups.cgi?u=39c65a96-a0e8-42fa-80d5-5d36c0be61c3"
	],
	"threat_actors": [
		{
			"id": "1dadf04e-d725-426f-9f6c-08c5be7da159",
			"created_at": "2022-10-25T15:50:23.624538Z",
			"updated_at": "2026-04-10T02:00:05.286895Z",
			"deleted_at": null,
			"main_name": "Darkhotel",
			"aliases": [
				"Darkhotel",
				"DUBNIUM",
				"Zigzag Hail"
			],
			"source_name": "MITRE:Darkhotel",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b13c19d6-247d-47ba-86ba-15a94accc179",
			"created_at": "2024-05-01T02:03:08.149923Z",
			"updated_at": "2026-04-10T02:00:03.763147Z",
			"deleted_at": null,
			"main_name": "TUNGSTEN BRIDGE",
			"aliases": [
				"APT-C-06 ",
				"ATK52 ",
				"CTG-1948 ",
				"DUBNIUM ",
				"DarkHotel ",
				"Fallout Team ",
				"Shadow Crane ",
				"Zigzag Hail "
			],
			"source_name": "Secureworks:TUNGSTEN BRIDGE",
			"tools": [
				"Nemim",
				"Tapaoux"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2b4eec94-7672-4bee-acb2-b857d0d26d12",
			"created_at": "2023-01-06T13:46:38.272109Z",
			"updated_at": "2026-04-10T02:00:02.906089Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"T-APT-02",
				"Nemim",
				"Nemin",
				"Shadow Crane",
				"G0012",
				"DUBNIUM",
				"Karba",
				"APT-C-06",
				"SIG25",
				"TUNGSTEN BRIDGE",
				"Zigzag Hail",
				"Fallout Team",
				"Luder",
				"Tapaoux",
				"ATK52"
			],
			"source_name": "MISPGALAXY:DarkHotel",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434507,
	"ts_updated_at": 1775791798,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8aea60d53b7093e063ec07a70e25a96547d545e7.pdf",
		"text": "https://archive.orkl.eu/8aea60d53b7093e063ec07a70e25a96547d545e7.txt",
		"img": "https://archive.orkl.eu/8aea60d53b7093e063ec07a70e25a96547d545e7.jpg"
	}
}