{ "id": "447be88c-6aef-4115-a092-4de970a20451", "created_at": "2026-04-06T00:06:21.220653Z", "updated_at": "2026-04-10T03:33:57.362673Z", "deleted_at": null, "sha1_hash": "9568298dcc6d66a7194b32003d12d378f37fd26b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50987, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:28:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Comnie\n Tool: Comnie\nNames Comnie\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) Unit 42 has been tracking a series of attacks using a remote backdoor\nmalware family named Comnie, which have been observed targeting organizations in\nthe East Asia region. Comnie, first named by Sophos seemingly after the Windows LNK\nfile name it created, is a custom malware family that is used in targeted attacks, and has\nbeen observed in the wild since at least April 2013. The Comnie malware family is\nnotable in that it leverages online blogs and third-party services to obtain command and\ncontrol (C2) information. Recent instances of the malware have been observed\nleveraging github.com, tumbler.com, and blogspot.com.\nAttackers using Comnie are leveraging malicious macros that initially hide decoy\ndocuments and shows them when the victim enables macros. These decoys documents\npertain to various subject matters that the targets would be likely to be interested in.\nInformation\nMITRE ATT\u0026CK AlienVault OTX Last change to this tool card: 22 April 2020\nDownload this tool card in JSON format\nAll groups using tool Comnie\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b94ba59-fbb3-4852-8442-4b5483208a67\nPage 1 of 2\n\nBlackgear 2018-Jul 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b94ba59-fbb3-4852-8442-4b5483208a67\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b94ba59-fbb3-4852-8442-4b5483208a67\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b94ba59-fbb3-4852-8442-4b5483208a67" ], "report_names": [ "listgroups.cgi?u=3b94ba59-fbb3-4852-8442-4b5483208a67" ], "threat_actors": [ { "id": "ad59becc-29c2-4b7a-a958-d7f242d222ea", "created_at": "2023-01-06T13:46:38.956494Z", "updated_at": "2026-04-10T02:00:03.161471Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "BLACKGEAR", "Topgear", "Comnie" ], "source_name": "MISPGALAXY:Blackgear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6750d709-9153-4e90-baa3-04883a9b762b", "created_at": "2022-10-25T16:07:23.397596Z", "updated_at": "2026-04-10T02:00:04.580074Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "Topgear" ], "source_name": "ETDA:Blackgear", "tools": [ "Comnie", "Elirks", "Protux" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433981, "ts_updated_at": 1775792037, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9568298dcc6d66a7194b32003d12d378f37fd26b.pdf", "text": "https://archive.orkl.eu/9568298dcc6d66a7194b32003d12d378f37fd26b.txt", "img": "https://archive.orkl.eu/9568298dcc6d66a7194b32003d12d378f37fd26b.jpg" } }