{ "id": "be0cd39d-d8d2-4b38-8b9b-949cfd0be281", "created_at": "2026-04-06T00:10:05.796636Z", "updated_at": "2026-04-10T03:35:56.613657Z", "deleted_at": null, "sha1_hash": "99cdca83daed03c67ae4a02f32cc9694f1c4a09b", "title": "NetWire RC - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75408, "plain_text": "NetWire RC - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:06:40 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NetWire RC\n Tool: NetWire RC\nNames\nNetWire RC\nNetWire RAT\nNetWired RC\nNetWire\nNetWeird\nRecam\nCategory Malware\nType POS malware, Backdoor, Keylogger, Credential stealer\nDescription\nNetwire is a RAT, its functionality seems focused on password stealing and keylogging,\nbut includes remote control capabilities as well.\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\nfor i in range(0,num_read):\nbuffer[i] = ((buffer[i]-0x24)^0x9D)\u00260xFF\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0ddad3ec-e810-4333-827b-2d03a3627403\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:Netwire\u003e\r\nLast change to this tool card: 28 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool NetWire RC\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 33, Elfin, Magnallium 2013-Apr 2024  \r\n  Gorgon Group 2017-Jul 2020  \r\n  OPERA1ER [Unknown] 2016-Jul 2023\r\n  Operation Armor Piercer 2020  \r\n  PassCV 2016  \r\n  RATicate [Unknown] 2019  \r\n  TA2541 [Unknown] 2017  \r\n7 groups listed (7 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0ddad3ec-e810-4333-827b-2d03a3627403\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0ddad3ec-e810-4333-827b-2d03a3627403\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0ddad3ec-e810-4333-827b-2d03a3627403" ], "report_names": [ "listgroups.cgi?u=0ddad3ec-e810-4333-827b-2d03a3627403" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "11c69e3d-a740-4a70-abd3-158ac0375452", "created_at": "2023-01-06T13:46:39.29608Z", "updated_at": "2026-04-10T02:00:03.27813Z", "deleted_at": null, "main_name": "Common Raven", "aliases": [ "NXSMS", "DESKTOP-GROUP", "OPERA1ER" ], "source_name": "MISPGALAXY:Common Raven", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "27b56f48-7905-4da8-8d87-cea10adb1c6b", "created_at": "2022-10-25T16:07:24.044105Z", "updated_at": "2026-04-10T02:00:04.848898Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "ETDA:PassCV", "tools": [ "Agentemis", "AngryRebel", "BleDoor", "Cobalt Strike", "CobaltStrike", "Excalibur", "Farfli", "Gh0st RAT", "Ghost RAT", "Kitkiot", "Moudour", "Mydoor", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "PCRat", "RbDoor", "Recam", "RibDoor", "Sabresac", "Sensocode", "Winnti", "ZXShell", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b01b0683-5c7c-4070-ba0c-4fdede370995", "created_at": "2022-10-25T16:07:23.925692Z", "updated_at": "2026-04-10T02:00:04.79318Z", "deleted_at": null, "main_name": "Operation Armor Piercer", "aliases": [], "source_name": "ETDA:Operation Armor Piercer", "tools": [ "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Recam", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dda68b4f-a74a-42a0-b883-69c1dc1229a8", "created_at": "2023-01-06T13:46:38.528227Z", "updated_at": "2026-04-10T02:00:03.013713Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "MISPGALAXY:PassCV", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0", "created_at": "2023-02-18T02:04:24.365926Z", "updated_at": "2026-04-10T02:00:04.792271Z", "deleted_at": null, "main_name": "OPERA1ER", "aliases": [ "Common Raven", "DESKTOP-GROUP", "NXSMS", "Operation Nervone" ], "source_name": "ETDA:OPERA1ER", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Agentemis", "BitRAT", "BlackNET RAT", "Cobalt Strike", "CobaltStrike", "Kasidet", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neutrino Bot", "Neutrino Exploit Kit", "Ngrok", "Origin Logger", "PsExec", "RDPWrap", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revealer Keylogger", "Socmer", "VenomRAT", "ZPAQ", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434205, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99cdca83daed03c67ae4a02f32cc9694f1c4a09b.pdf", "text": "https://archive.orkl.eu/99cdca83daed03c67ae4a02f32cc9694f1c4a09b.txt", "img": "https://archive.orkl.eu/99cdca83daed03c67ae4a02f32cc9694f1c4a09b.jpg" } }