{ "id": "3722b08e-bcb4-429c-8bbb-af0cb0152413", "created_at": "2026-04-06T00:10:07.601532Z", "updated_at": "2026-04-10T13:11:22.895746Z", "deleted_at": null, "sha1_hash": "945f0cf3dfbf26252aacae77ea567e64cc385359", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31795, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:37:42 UTC\r\nDescription(Kaspersky) So what does PlusDLL control? It turns out that the target functionality is implemented in\r\ndifferent files. Each file provides a specific remote control feature and is downloaded from the attackers’ server\r\nevery time the system starts up. These files are not saved on disk or in the registry but are loaded directly into the\r\nmemory.\r\nAt the very start of the operation, after launching the driver, PlusDLL collects information about the infected\r\nsystem. A unique identifier for the infected computer is generated based on information about the hard drive and\r\nthe network adapter’s MAC address, e.g., TKVFP-XZTTL-KXFWH-RBJLF-FXWJR. The attackers are interested\r\nprimarily in the computer’s name, the program which loaded the malicious library, as well as information about\r\nremote desktop sessions (session name, client name, user name and session time). All of this data is collected in a\r\nbuffer, which is then compressed and sent to the attackers’ control center.\r\nIn reply to this initial message from the bot, the control center sends the list of available plugins. Plugins are DLL\r\nlibraries that provide specific remote control functions. Upon receiving the list of plugins, the bot downloads\r\nthem, allocates them in the memory and passes control to these libraries.\r\nAlso see HighNoon, which seems to be a variant of Winnti.\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b25ce20-0707-4676-9b8e-b60a7d794bed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b25ce20-0707-4676-9b8e-b60a7d794bed\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b25ce20-0707-4676-9b8e-b60a7d794bed" ], "report_names": [ "listgroups.cgi?u=9b25ce20-0707-4676-9b8e-b60a7d794bed" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434207, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/945f0cf3dfbf26252aacae77ea567e64cc385359.pdf", "text": "https://archive.orkl.eu/945f0cf3dfbf26252aacae77ea567e64cc385359.txt", "img": "https://archive.orkl.eu/945f0cf3dfbf26252aacae77ea567e64cc385359.jpg" } }