{ "id": "506e8e25-b5f5-4b0d-bbf0-fa1f1cd3e541", "created_at": "2026-04-06T00:13:54.488887Z", "updated_at": "2026-04-10T03:25:21.246585Z", "deleted_at": null, "sha1_hash": "90d4bf7d0287a4b60a62b9e9c1853383d5e0a177", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47649, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:15:38 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool StickyFingers\n Tool: StickyFingers\nNames\nStickyFingers\nQUICKBALL\nCategory Malware\nType Backdoor\nDescription\nSticky Fingers, also known as QUICKBALL, is a simple DLL backdoor that is used by China-based advanced persistent threat actors to gain reverse shell access to infected systems. It has\nbeen observed in the healthcare, high-tech, consulting, manufacturing, energy and utilities,\ntelecommunications, aerospace, education, and legal services industries.\nInformation\nLast change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool StickyFingers\nChanged Name Country Observed\nAPT groups\n APT 18, Dynamite Panda, Wekby 2009-May 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c437e980-e7ca-4b60-a52f-00b92d5b1f8b\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c437e980-e7ca-4b60-a52f-00b92d5b1f8b\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c437e980-e7ca-4b60-a52f-00b92d5b1f8b" ], "report_names": [ "listgroups.cgi?u=c437e980-e7ca-4b60-a52f-00b92d5b1f8b" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434434, "ts_updated_at": 1775791521, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90d4bf7d0287a4b60a62b9e9c1853383d5e0a177.pdf", "text": "https://archive.orkl.eu/90d4bf7d0287a4b60a62b9e9c1853383d5e0a177.txt", "img": "https://archive.orkl.eu/90d4bf7d0287a4b60a62b9e9c1853383d5e0a177.jpg" } }