{ "id": "5126a1f9-becf-4314-87ed-6b922a332ea4", "created_at": "2026-04-06T00:06:34.007048Z", "updated_at": "2026-04-10T13:12:44.439889Z", "deleted_at": null, "sha1_hash": "93ca41f451857abc1c5d58116c6e3a01f2371219", "title": "Subgroup: Goldmouse, APT-C-27 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49605, "plain_text": "Subgroup: Goldmouse, APT-C-27 - Threat Group Cards: A Threat\nActor Encyclopedia\nArchived: 2026-04-05 23:45:52 UTC\nHome \u003e List all groups \u003e Subgroup: Goldmouse, APT-C-27\n APT group: Subgroup: Goldmouse, APT-C-27\nNames\nGoldmouse (Qihoo 360)\nGolden Rat (Qihoo 360)\nAPT-C-27 (Qihoo 360)\nATK 80 (Thales)\nCountry Syria\nSponsor Syrian Electronic Army\nMotivation Information theft and espionage\nFirst seen 2014\nDescription\nA subgroup of Syrian Electronic Army (SEA), Deadeye Jackal.\n(Qihoo 360) On March 17, 2019, 360 Threat Intelligence Center captured a target attack\nsample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250), and\nit seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a\ndecoy Word document inside the archive regarding terrorist attacks to lure the victim into\ndecompressing. When the archive gets decompressed on the vulnerable computer, the\nembedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and\nthen triggered into execution if the victim restarts the computer or performs re-login. After\nthat, the attacker is capable to control the compromised device.\nObserved Countries: Syria and Middle East.\nTools used GoldenRAT, njRAT and a WinRAR exploit.\nInformation\nLast change to this card: 20 April 2020\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a9039e6e-531f-4b17-9c0d-ba8905ce5293\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a9039e6e-531f-4b17-9c0d-ba8905ce5293\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a9039e6e-531f-4b17-9c0d-ba8905ce5293\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a9039e6e-531f-4b17-9c0d-ba8905ce5293" ], "report_names": [ "showcard.cgi?u=a9039e6e-531f-4b17-9c0d-ba8905ce5293" ], "threat_actors": [ { "id": "2f498e6b-3f0e-4f26-8cc7-52121e675643", "created_at": "2023-01-06T13:46:38.447274Z", "updated_at": "2026-04-10T02:00:02.978901Z", "deleted_at": null, "main_name": "Deadeye Jackal", "aliases": [ "SyrianElectronicArmy" ], "source_name": "MISPGALAXY:Deadeye Jackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "c2cc9aa5-1853-4de1-8849-cb3f28c7728e", "created_at": "2022-10-25T16:07:24.256045Z", "updated_at": "2026-04-10T02:00:04.912815Z", "deleted_at": null, "main_name": "Goldmouse", "aliases": [ "APT-C-27", "ATK 80", "Golden Rat", "Goldmouse" ], "source_name": "ETDA:Goldmouse", "tools": [ "Bladabindi", "GoldenRAT", "Jorik", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2c385a7d-0217-46d8-a451-29ac6fe58aaf", "created_at": "2023-01-06T13:46:38.937468Z", "updated_at": "2026-04-10T02:00:03.151838Z", "deleted_at": null, "main_name": "APT-C-27", "aliases": [ "Golden RAT", "ATK80", "GoldMouse" ], "source_name": "MISPGALAXY:APT-C-27", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433994, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93ca41f451857abc1c5d58116c6e3a01f2371219.pdf", "text": "https://archive.orkl.eu/93ca41f451857abc1c5d58116c6e3a01f2371219.txt", "img": "https://archive.orkl.eu/93ca41f451857abc1c5d58116c6e3a01f2371219.jpg" } }