{
	"id": "815c63c2-14dd-4365-9fc7-1c445cc44ec0",
	"created_at": "2026-04-06T00:07:10.780877Z",
	"updated_at": "2026-04-10T03:32:56.630849Z",
	"deleted_at": null,
	"sha1_hash": "a0821da576a6852fefb377eefdaad2022fc55db1",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52146,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:17:31 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Adwind\r\n Tool: Adwind\r\nNames\r\nAdwind\r\nAdwind RAT\r\nFrutas\r\njFrutas\r\nUnReCoM\r\nAlien Spy\r\nAlienSpy\r\nJSocket\r\nSockrat\r\njBiFrost\r\nJBifrost RAT\r\nUnknown RAT\r\njConnectPro RAT\r\nUnrecom\r\nTrojan.Maljava\r\nCategory Malware\r\nType\r\nReconnaissance, Backdoor, Keylogger, Credential stealer, Info stealer, Exfiltration,\r\nMiner\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=90747400-bb9d-427d-8cc3-cd341f598860\r\nPage 1 of 2\n\nDescription\n(Proofpoint) The AlienSpy RAT is very powerful in the hands of an attacker. Some of\nthe key features supported by the RAT include:\n• Collection of system information for fingerprinting and displaying on the attacker’s\ncontroller dashboard\n• File system, process and registry explorer with ability to view and modify\n• Ability to run console commands\n• Keylogging to capture user inputs\n• Ability to download and execute secondary payloads\n• Credential theft from various browser stores\n• Ability to spy on victim through screenshots, webcam, microphone\n• Ability to RDP (Remote Desktop) to infected clients\n• Ability to mine various type of digital currency such as bitcoin, litecoin, dogecoin etc.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Adwind\nChanged Name Country Observed\nAPT groups\n LazyScripter [Unknown] 2018\n Packrat [Latin America] 2008\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=90747400-bb9d-427d-8cc3-cd341f598860\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=90747400-bb9d-427d-8cc3-cd341f598860\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=90747400-bb9d-427d-8cc3-cd341f598860"
	],
	"report_names": [
		"listgroups.cgi?u=90747400-bb9d-427d-8cc3-cd341f598860"
	],
	"threat_actors": [
		{
			"id": "b20281dd-8cc4-4284-b85c-f98c7e09ae48",
			"created_at": "2022-10-25T15:50:23.642844Z",
			"updated_at": "2026-04-10T02:00:05.392724Z",
			"deleted_at": null,
			"main_name": "LazyScripter",
			"aliases": [
				"LazyScripter"
			],
			"source_name": "MITRE:LazyScripter",
			"tools": [
				"Remcos",
				"QuasarRAT",
				"njRAT",
				"ngrok",
				"Koadic",
				"KOCTOPUS"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "712fc9fa-4283-431b-882c-5e0de9c12452",
			"created_at": "2022-10-25T16:07:23.770209Z",
			"updated_at": "2026-04-10T02:00:04.745132Z",
			"deleted_at": null,
			"main_name": "LazyScripter",
			"aliases": [
				"G0140"
			],
			"source_name": "ETDA:LazyScripter",
			"tools": [
				"Adwind",
				"Adwind RAT",
				"Alien Spy",
				"AlienSpy",
				"Bladabindi",
				"CinaRAT",
				"EmPyre",
				"EmpireProject",
				"Empoder",
				"Frutas",
				"Gussdoor",
				"Invoke-Ngrok",
				"JBifrost RAT",
				"JSocket",
				"Jorik",
				"KOCTOPUS",
				"Koadic",
				"Luminosity RAT",
				"LuminosityLink",
				"Nishang",
				"PowerShell Empire",
				"Quasar RAT",
				"QuasarRAT",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"RuRAT",
				"Sockrat",
				"Socmer",
				"Trojan.Maljava",
				"UnReCoM",
				"Unknown RAT",
				"Unrecom",
				"Yggdrasil",
				"jBiFrost",
				"jConnectPro RAT",
				"jFrutas",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d001e298-8608-4ee6-96c7-e5afb62d718d",
			"created_at": "2022-10-25T16:07:24.035765Z",
			"updated_at": "2026-04-10T02:00:04.847015Z",
			"deleted_at": null,
			"main_name": "Packrat",
			"aliases": [],
			"source_name": "ETDA:Packrat",
			"tools": [
				"Adwind",
				"Adwind RAT",
				"Adzok",
				"Alien Spy",
				"AlienSpy",
				"CyberGate",
				"CyberGate RAT",
				"ExtRat",
				"Frutas",
				"Invisible Remote Administrator",
				"JBifrost RAT",
				"JSocket",
				"Rebhip",
				"Sockrat",
				"Trojan.Maljava",
				"UnReCoM",
				"Unknown RAT",
				"Unrecom",
				"Xtreme RAT",
				"XtremeRAT",
				"jBiFrost",
				"jConnectPro RAT",
				"jFrutas"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "02a7064e-447b-433e-ac14-6f10d476f517",
			"created_at": "2023-01-06T13:46:38.520097Z",
			"updated_at": "2026-04-10T02:00:03.010392Z",
			"deleted_at": null,
			"main_name": "Packrat",
			"aliases": [],
			"source_name": "MISPGALAXY:Packrat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434030,
	"ts_updated_at": 1775791976,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0821da576a6852fefb377eefdaad2022fc55db1.pdf",
		"text": "https://archive.orkl.eu/a0821da576a6852fefb377eefdaad2022fc55db1.txt",
		"img": "https://archive.orkl.eu/a0821da576a6852fefb377eefdaad2022fc55db1.jpg"
	}
}