{ "id": "8c481648-39bd-45e1-858f-1eb9f2180426", "created_at": "2026-04-06T00:17:35.352782Z", "updated_at": "2026-04-10T13:12:20.780528Z", "deleted_at": null, "sha1_hash": "a1a840840ddbf092eeeb1bd963d8c1d6d979c3ef", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48793, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:12:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RedCore\n Tool: RedCore\nNames RedCore\nCategory Malware\nType Backdoor, Downloader, Info stealer, Keylogger\nDescription\n(Kaspersky) When inspecting the NewCore RAT malware delivered during the various attacks\nwe investigated, we were able to distinguish between two variants. Both were deployed as\nside-loaded DLLs and shared multiple similarities, both in code and behavior. At the same\ntime, we noticed differences that indicate the variants could have been used by different\noperators.\nOur analysis shows that the underlying pieces of malware and the way they were used form\ntwo clusters of activity. As a result, we named the variants BlueCore and RedCore and\nexamined the artifacts we found around each one in order to profile their related clusters.\nInformation Last change to this tool card: 15 May 2021\nDownload this tool card in JSON format\nAll groups using tool RedCore\nChanged Name Country Observed\nAPT groups\n Goblin Panda, Cycldek, Conimes 2013-Jun 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d9af543c-8b48-4294-b2e3-d64e91f6cc02\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d9af543c-8b48-4294-b2e3-d64e91f6cc02\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d9af543c-8b48-4294-b2e3-d64e91f6cc02" ], "report_names": [ "listgroups.cgi?u=d9af543c-8b48-4294-b2e3-d64e91f6cc02" ], "threat_actors": [ { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434655, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a1a840840ddbf092eeeb1bd963d8c1d6d979c3ef.pdf", "text": "https://archive.orkl.eu/a1a840840ddbf092eeeb1bd963d8c1d6d979c3ef.txt", "img": "https://archive.orkl.eu/a1a840840ddbf092eeeb1bd963d8c1d6d979c3ef.jpg" } }