{
	"id": "3a36e7ef-3734-4f3c-bbd2-a414b323333a",
	"created_at": "2026-04-06T00:15:59.149304Z",
	"updated_at": "2026-04-10T03:29:32.086079Z",
	"deleted_at": null,
	"sha1_hash": "970fe90aa3a86e41a1177870a21a1eb99bfb9f52",
	"title": "DIRTCLEANER - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 128061,
	"plain_text": "สำ นักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์\nElectronic Transactions Development Agency\nGroups Tools Search Statistics\nSearch\n↑\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DIRTCLEANER\nThreat Group Cards: A Threat Actor Encyclopedia\n Tool: DIRTCLEANER\nNames DIRTCLEANER\nCCleaner Backdoor\nCategory Malware\nType Loader\nDescription (FireEye) The compromised CCleaner update (which we call DIRTCLEANER) is believed to download a second-stage loader (MD5:\n748aa5fcfa2af451c76039faf6a8684d) that contains a 32-bit and 64-bit COLDJAVA DLL payload.\nInformation Malpedia Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool DIRTCLEANER\nChanged Name Country Observed\nAPT groups\n APT 41 2012-Jul 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nInfrastructure and Security Department\nElectronic Transactions Development Agency\nFollow us on\nReport incidents\n+66 (0)2-123-1227\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eea1ecd4-bc9f-49cf-8f31-e746c1eb051d\nPage 1 of 2\n\nhelpdesk@etda.or.th\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eea1ecd4-bc9f-49cf-8f31-e746c1eb051d\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eea1ecd4-bc9f-49cf-8f31-e746c1eb051d"
	],
	"report_names": [
		"listgroups.cgi?u=eea1ecd4-bc9f-49cf-8f31-e746c1eb051d"
	],
	"threat_actors": [
		{
			"id": "c7d9878a-e691-4c6f-81ae-84fb115a1345",
			"created_at": "2022-10-25T16:07:23.359506Z",
			"updated_at": "2026-04-10T02:00:04.556639Z",
			"deleted_at": null,
			"main_name": "APT 41",
			"aliases": [
				"BrazenBamboo",
				"Bronze Atlas",
				"Double Dragon",
				"Earth Baku",
				"G0096",
				"Grayfly",
				"Operation ColunmTK",
				"Operation CuckooBees",
				"Operation ShadowHammer",
				"Red Kelpie",
				"SparklingGoblin",
				"TA415",
				"TG-2633"
			],
			"source_name": "ETDA:APT 41",
			"tools": [
				"9002 RAT",
				"ADORE.XSEC",
				"ASPXSpy",
				"ASPXTool",
				"AceHash",
				"Agent.dhwf",
				"Agentemis",
				"AndroidControl",
				"AngryRebel",
				"AntSword",
				"BLUEBEAM",
				"Barlaiy",
				"BlackCoffee",
				"Bladabindi",
				"BleDoor",
				"CCleaner Backdoor",
				"CHINACHOPPER",
				"COLDJAVA",
				"China Chopper",
				"ChyNode",
				"Cobalt Strike",
				"CobaltStrike",
				"Crackshot",
				"CrossWalk",
				"CurveLast",
				"CurveLoad",
				"DAYJOB",
				"DBoxAgent",
				"DEADEYE",
				"DEADEYE.APPEND",
				"DEADEYE.EMBED",
				"DEPLOYLOG",
				"DIRTCLEANER",
				"DUSTTRAP",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"DodgeBox",
				"DragonEgg",
				"ELFSHELF",
				"EasyNight",
				"Farfli",
				"FunnySwitch",
				"Gh0st RAT",
				"Ghost RAT",
				"HDD Rootkit",
				"HDRoot",
				"HKDOOR",
				"HOMEUNIX",
				"HUI Loader",
				"HidraQ",
				"HighNoon",
				"HighNote",
				"Homux",
				"Hydraq",
				"Jorik",
				"Jumpall",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"LATELUNCH",
				"LOLBAS",
				"LOLBins",
				"LightSpy",
				"Living off the Land",
				"Lowkey",
				"McRAT",
				"MdmBot",
				"MessageTap",
				"Meterpreter",
				"Mimikatz",
				"MoonBounce",
				"MoonWalk",
				"Motnug",
				"Moudour",
				"Mydoor",
				"NTDSDump",
				"PACMAN",
				"PCRat",
				"PINEGROVE",
				"PNGRAT",
				"POISONPLUG",
				"POISONPLUG.SHADOW",
				"POTROAST",
				"PRIVATELOG",
				"PipeMon",
				"PlugX",
				"PortReuse",
				"ProxIP",
				"ROCKBOOT",
				"RbDoor",
				"RedDelta",
				"RedXOR",
				"RibDoor",
				"Roarur",
				"RouterGod",
				"SAGEHIRE",
				"SPARKLOG",
				"SQLULDR2",
				"STASHLOG",
				"SWEETCANDLE",
				"ScrambleCross",
				"Sensocode",
				"SerialVlogger",
				"ShadowHammer",
				"ShadowPad Winnti",
				"SinoChopper",
				"Skip-2.0",
				"SneakCross",
				"Sogu",
				"Speculoos",
				"Spyder",
				"StealthReacher",
				"StealthVector",
				"TERA",
				"TIDYELF",
				"TIGERPLUG",
				"TOMMYGUN",
				"TVT",
				"Thoper",
				"Voldemort",
				"WIDETONE",
				"WINNKIT",
				"WINTERLOVE",
				"Winnti",
				"WyrmSpy",
				"X-Door",
				"XDOOR",
				"XMRig",
				"XShellGhost",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"gresim",
				"njRAT",
				"pwdump",
				"xDll"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434559,
	"ts_updated_at": 1775791772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/970fe90aa3a86e41a1177870a21a1eb99bfb9f52.pdf",
		"text": "https://archive.orkl.eu/970fe90aa3a86e41a1177870a21a1eb99bfb9f52.txt",
		"img": "https://archive.orkl.eu/970fe90aa3a86e41a1177870a21a1eb99bfb9f52.jpg"
	}
}