{ "id": "0a9116e8-31fb-484b-9ed9-31d969fe2b8b", "created_at": "2026-04-06T00:10:47.595102Z", "updated_at": "2026-04-10T03:33:51.326907Z", "deleted_at": null, "sha1_hash": "9a356bf08cb61ae743bdc6b055f71db4dba94d73", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60243, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:40:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RogueRobin\n Tool: RogueRobin\nNames\nRogueRobin\nRogueRobinNET\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration, Tunneling\nDescription\n(Palo Alto) In our original blog on DarkHydrus, we analyzed a PowerShell-based\npayload we named RogueRobin. While performing the analysis on the delivery\ndocuments using the .sct file AppLocker bypass, we noticed the C# payload was\nfunctionally similar to the original RogueRobin payload. The similarities between the\nPowerShell and C# variants of RogueRobin suggests that the DarkHydrus group ported\ntheir code to a compiled variant.\nThe C# variant of RogueRobin attempts to detect if it is executing in a sandbox\nenvironment using the same commands as in the PowerShell variant of RogueRobin.\nThe series of commands, as seen in Table 2, include checks for virtualized\nenvironments, low memory, and processor counts, in addition to checks for common\nanalysis tools running on the system. The Trojan also checks to see if a debugger is\nattached to its processes and will exit if it detects the presence of a debugger.\nInformation\nMITRE ATT\u0026CK Malpedia\nAlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=87ad16c6-a771-4f89-bdd3-c5e2ad4f3354\nPage 1 of 2\n\nAll groups using tool RogueRobin\r\nChanged Name Country Observed\r\nAPT groups\r\n  DarkHydrus, LazyMeerkat 2016-Jan 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=87ad16c6-a771-4f89-bdd3-c5e2ad4f3354\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=87ad16c6-a771-4f89-bdd3-c5e2ad4f3354\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=87ad16c6-a771-4f89-bdd3-c5e2ad4f3354" ], "report_names": [ "listgroups.cgi?u=87ad16c6-a771-4f89-bdd3-c5e2ad4f3354" ], "threat_actors": [ { "id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc", "created_at": "2023-01-06T13:46:38.772861Z", "updated_at": "2026-04-10T02:00:03.095095Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "LazyMeerkat", "G0079", "Obscure Serpens" ], "source_name": "MISPGALAXY:DarkHydrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b04780e-7b64-4e62-b776-c6749ff7dec8", "created_at": "2022-10-25T16:07:23.531741Z", "updated_at": "2026-04-10T02:00:04.643562Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "ATK 77", "DarkHydrus", "G0079", "LazyMeerkat", "Obscure Serpens" ], "source_name": "ETDA:DarkHydrus", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Mimikatz", "Phishery", "RogueRobin", "RogueRobinNET", "Trojan.Phisherly", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08", "created_at": "2022-10-25T15:50:23.469077Z", "updated_at": "2026-04-10T02:00:05.384299Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "DarkHydrus" ], "source_name": "MITRE:DarkHydrus", "tools": [ "Mimikatz", "RogueRobin", "Cobalt Strike" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434247, "ts_updated_at": 1775792031, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a356bf08cb61ae743bdc6b055f71db4dba94d73.pdf", "text": "https://archive.orkl.eu/9a356bf08cb61ae743bdc6b055f71db4dba94d73.txt", "img": "https://archive.orkl.eu/9a356bf08cb61ae743bdc6b055f71db4dba94d73.jpg" } }