{ "id": "af7289aa-95de-4b81-9470-8da126c7f2b3", "created_at": "2026-04-06T00:20:19.902314Z", "updated_at": "2026-04-10T13:12:23.367422Z", "deleted_at": null, "sha1_hash": "935a59cde6d931a628cd50010c778607e311676b", "title": "Attack Activities by Quasar Family - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2985932, "plain_text": "Attack Activities by Quasar Family - JPCERT/CC Eyes\r\nBy 喜野 孝太(Kota Kino)\r\nPublished: 2020-12-09 · Archived: 2026-04-05 14:44:44 UTC\r\nQuasar [1] is an open source RAT (Remote Administration Tool) with a variety of functions. This is easy to use\r\nand therefore exploited by several APT actors. JPCERT/CC has confirmed that a group called APT10 used this\r\ntool in some targeted attacks against Japanese organisations.\r\nAs Quasar’s source code is publicly available, there are many variants of this RAT seen in the wild (referred to as\r\n“Quasar Family” hereafter). Some of them have been used in attacks against Japanese organisations, and they are\r\nseen as a threat as well as Quasar itself.\r\nThis article introduces the details of Quasar and Quasar Family.\r\nQuasar overview\r\nQuasar offers many functions which are intended for purposes such as device management, support operation and\r\nemployee monitoring. Figure 1 describes Quasar’s functions and its supported environment as specified on\r\nGitHub.\r\nFigure 1: Quasar’s functions and supported environment\r\nThis tool was called “xRAT” at the time of its initial release, however, it was renamed as “Quasar” in August\r\n2015. The latest version is v1.4, released in June 2020.\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 1 of 11\n\nFigure 2: Quasar versions\r\nAs v1.3 and the earlier are still used in recent attacks, this article explains the functions of both v1.3 and v1.4.\r\nCommunication protocol\r\nQuasar v1.3 uses its custom protocol which combines AES and QuickLZ. In v1.4, however, Protocol Buffer\r\n(developed by Google) is used for data serialisation instead. In addition, the entire communication is encrypted\r\nwith TLS1.2.\r\nFigure 3 shows the comparison of the communication format in v1.3 and v1.4.\r\nFigure 3: Quasar’s communication format\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 2 of 11\n\nCommunication flow\r\nIn v1.3, once a client connects to a server, authentication is performed. After that, the main body of data including\r\nthe commands are exchanged. On the other hand, the authentication is replaced by a TLS handshake in v1.4, and\r\nthe data exchange begins after that.\r\nFigure 4 illustrates Quasar’s communication flow between a client and a server.\r\nFigure 4: Quasar’s communication flow\r\n \r\nConfiguration\r\nQuasar possesses its configuration in itself. It is encrypted by the combination of AES and BASE64 encoding. It is\r\ndecrypted with the value specified in “ENCRYPTIONKEY” in the configuration when executed.\r\nFigure 5: Quasar configuration\r\nFigure 6: Configuration format\r\nTable 1 details the configuration for Quasar.\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 3 of 11\n\nTable 1: Configuration\r\nVERSION INSTALL LOGDIRECTORY (1.3)\r\nHOSTS STARTUP SERVERSIGNATURE (1.4)\r\nPORT (xRAT only) MUTEX SERVERCERTIFICATESTR (1.4)\r\nRECONNECTDELY STARTUPKEY SERVERCERTIFICATE (1.4)\r\nKEY HIDEFILE HIDELOGDIRECTORY (1.3)\r\nAUTHKEY ENABLEUACESCALATION (xRAT only) HIDELOGSUBDIRECTORY (1.3)\r\nDIRECTORY ENABLELOGGER INSTALLPATH (1.4)\r\nSUBDIRECTORY ENCRYPTIONKEY LOGSPATH (1.4)\r\nINSTALLNAME TAG (1.3) UNATTENDEDMODE (1.4)\r\nCommands\r\nIn v1.3, command sets are defined for “typeof” calls. Figure 7 shows some examples of commands defined in\r\nQuasar.\r\nFigure 7: Commands\r\nQuasar Family\r\nTable 2 is the list of Quasar Family derived from Quasar which JPCERT/CC confirmed.\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 4 of 11\n\nTable 2: Quasar Family\r\nName Category Configuration\r\nCommunication\r\nprotocol\r\nUse in attacks in the\r\nwild\r\nGolden Edition Clone Identical Identical Confirmed\r\nXPCTRA Clone Custom Identical Confirmed\r\nCinaRAT [2] Clone Identical Identical Confirmed\r\nXtremis 2.0 [3] Clone Identical Identical Not confirmed\r\nQuasarStrike\r\n[4]\r\nClone Identical Identical Not confirmed\r\nVenomRAT Clone Identical Identical Not confirmed\r\nRSMaster [5]\r\nPartially\r\ncopied\r\nCustom Identical Not confirmed\r\nVoid-RAT\r\nPartially\r\ncopied\r\nCustom Identical Confirmed\r\nAsyncRAT [6]\r\nPartially\r\ncopied\r\nCustom Identical Confirmed\r\n* “Clone” in the category refers to variants which uses the entire source code of Quasar with some functions\r\nadded or modified. “Partially copied” refers to variants created as a new RAT using parts of the original source\r\ncode.\r\nFigure 8 shows the comparison of commands embedded in XPCTRA and Quasar.\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 5 of 11\n\nFigure 8: Comparison of commands\r\n(Left: XPCTRA / Right: Quasar)\r\nIn the comparison above, it is clear that commands in XPCTRA are mostly identical to those in Quasar.\r\nFigure 9 shows the comparison of the salt value in AsyncRAT and Quasar.\r\nFigure 9: Comparison of salt value\r\n(Above: AsyncRAT / Below: Quasar)\r\nThe salt value in AsyncRAT is identical to that in Quasar.\r\nAs Quasar Family applies some parts of the source code of Quasar, its configuration and communication protocol\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 6 of 11\n\nare also identical. In some cases, some functions are customised, and as a result, some new configuration and\r\ncommands are added.\r\nAttack campaigns using Quasar\r\nQuasar has been used in many attack campaigns. Table 3 lists the differences of Quasar used by each attack group.\r\nTable 3: Example of Quasar used by attack group\r\nAttack group Quasar version Customisation Obfuscation\r\nAPT33 1.3.0.0 No ConfuserEx v1.0.0\r\nGorgon Group - No\r\nAPT-C-09 2.0.0.0 RELEASE3 No\r\nDustySky 1.1.0.0 No\r\nAPT10 2.0.0.0(Custom Version) Yes ConfuserEx v1.0.0\r\nThe original Quasar with the default configuration value was used in most cases. Figure 10 shows an example\r\nconfiguration of Quasar used by APT 33.\r\nFigure 10: Configuration of Quasar used by APT33\r\nIn most parts, the default values of the builder generating Quasar are used as is, except for STARTUPKEY. This\r\nway, attacker groups use the default values as per the original to avoid leaving any distinctive evidence.\r\nIn some cases, attackers customise Quasar. For example, APT 10 updated some features and used it in some\r\nattacks. The following sections will cover the details of this custom Quasar.\r\nConfiguration\r\nQuasar used by APT 10 (hereafter “custom Quasar”) has the following additional values in the configuration.\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 7 of 11\n\nDOWNLOAD_URL\r\nPROXY\r\nFigure 11 shows the comparison of configuration in the custom Quasar and the original Quasar.\r\nFigure 11: Comparison of configuration\r\n(Left: custom Quasar / Right: original Quasar)\r\nIn “PROXY”, a proxy server URL can be configured. This ensures that the custom Quasar is able to communicate\r\nwith a C2 server even if the target’s environment uses proxy servers.\r\nWhile the original Quasar uses CBC mode when encrypting configuration with AES, the custom Quasar uses CFB\r\nmode.\r\nFigure 12: Comparison of AES code\r\n(Left: custom Quasar / Right: original Quasar)\r\nAdded/deleted commands\r\nThere are some changes to the commands in the custom Quasar. Figure 13 shows the comparison of commands in\r\nthe custom Quasar and the original Quasar.\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 8 of 11\n\nFigure 13: Comparison of commands\r\n(Left: custom Quasar / Right: original Quasar)\r\nIn the custom Quasar, new commands DoPlugin and DoPluginResponse are added while some including\r\nkeylogger are deleted.\r\nWith DoPlugin, new functions can be added by loading additional plugin modules. These new modules can be\r\ndeleted with DoPluginResponse.\r\nThis change enables Quasar to dynamically extend its functions with commands while maintaining Quasar itself\r\nas simple as it can be. This suggests the attacker’s intention to avoid detection by anti-virus software.\r\nError log creation\r\nThe custom Quasar has a function to create error logs. The file path of the error logs is hardcoded in itself.\r\nFigure 14: Error log creation\r\nCommunication protocol\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 9 of 11\n\nThe encryption algorithms for communication with a C2 server also differs in the custom Quasar. While the\r\noriginal Quasar uses AES and QuickLZ, the custom Quasar also uses XOR encoding. Figure 15 shows the XOR\r\nencoding process added to the custom Quasar.\r\nFigure 15: XOR encoding process\r\nFor AES encryption, the custom Quasar uses CFB mode instead of CBC mode, as seen in the configuration. The\r\nencryption methods are as follows:\r\nOriginal Quasar: QuickLZ + AES (mode CBC)\r\nCustom Quasar: QuickLZ + AES (mode CFB) + XOR\r\nC2 server activities\r\nJPCERT/CC investigated the activities of Quasar Family C2 servers based on the characteristics discussed above.\r\nAs of November 2020, 76 IP addresses running as C2 servers have been identified. Figure 16 shows the\r\ndistribution of Quasar Family C2 servers which were revealed in this investigation.\r\nFigure 16: C2 server distribution\r\nMultiple C2 servers are still running in different countries, which indicates its activeness.\r\nIn closing\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 10 of 11\n\nBesides Quasar, other open source RATs are being used in ongoing attack cases [7]. Attackers are taking\r\nadvantage of these tools to make attribution difficult and reduce the cost for developing attack infrastructure. It is\r\nestimated that this attack trends may continue.\r\nA tool to support Quasar analysis (compatible with Quasar v1.3 only) is available on GitHub. We hope you find it\r\nuseful.\r\nKota Kino, Shusei Tomonaga\r\nIn cooperation with Tomoaki Tani\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] GitHub: Quasar\r\nhttps://github.com/quasar/Quasar\r\n[2] GitHub: CinaRAT\r\nhttps://github.com/wearelegal/CinaRAT\r\n[3] GitHub: Xtremis 2.0\r\nhttps://github.com/pavitra14/Xtremis-V2.0\r\n[4] GitHub: QuasarStrike\r\nhttps://github.com/Q-Strike/QuasarStrike\r\n[5] GitHub: RSMaster\r\nhttps://github.com/Netskyes/rsmaster\r\n[6] GitHub: AsyncRAT\r\nhttps://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp\r\n[7] Japan Security Analyst Conference 2020 (Opening Talk): Looking back on the incidents in 2019\r\nhttps://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf\r\nSource: https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nhttps://blogs.jpcert.or.jp/en/2020/12/quasar-family.html\r\nPage 11 of 11\n\nFigure This tool was 1: Quasar’s called “xRAT” functions and supported at the time of environment its initial release, however, it was renamed as “Quasar” in August\n2015. The latest version is v1.4, released in June 2020. \n Page 1 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html" ], "report_names": [ "quasar-family.html" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434819, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/935a59cde6d931a628cd50010c778607e311676b.pdf", "text": "https://archive.orkl.eu/935a59cde6d931a628cd50010c778607e311676b.txt", "img": "https://archive.orkl.eu/935a59cde6d931a628cd50010c778607e311676b.jpg" } }