{
	"id": "94b39343-051c-4511-9873-9487e90b9338",
	"created_at": "2026-04-06T00:10:09.451003Z",
	"updated_at": "2026-04-10T03:30:42.942175Z",
	"deleted_at": null,
	"sha1_hash": "a235bf2237f234d0f11c29ed2520d225adc12b40",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50662,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:55:57 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool sqllauncher.dll\n Tool: sqllauncher.dll\nNames sqllauncher.dll\nCategory Malware\nType Backdoor\nDescription\n(Avast) Both DLLs, sqllauncher.dll and logon.dll, are primarily used as backdoors. These are\ninstalled as services by the aforementioned batch file. They both create a log file under the\npath: %COMMON_DOCUMENT%\\WZ9JuN00.tmp aggregating errors during the backdoor’s\nruntime. Each entry contains an error code, an error message, and a timestamp formatted as\n“[yyyy-mm-dd hh-mm-ss] %error code% %message%”.\nIf the infected device can’t connect to the C\u0026C server, the malware attempts to determine\nwhether the traffic is routed through a proxy. This information may be retrieved either from\n%WINDOWS%\\debug\\netlogon.cfg or from the TCP table. After successfully connecting to\nthe C\u0026C server, a secure communication channel (Schannel) is established and telemetry (OS\nversion, username) is sent to the C\u0026C server.\nInformation\nLast change to this tool card: 18 May 2020\nDownload this tool card in JSON format\nAll groups using tool sqllauncher.dll\nChanged Name Country Observed\nAPT groups\n Mikroceen 2017-Mar 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5721d5f1-1bc1-446b-87d8-28d0b619bcc7\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5721d5f1-1bc1-446b-87d8-28d0b619bcc7\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5721d5f1-1bc1-446b-87d8-28d0b619bcc7\r\nPage 2 of 2\n\nAPT groups  Mikroceen 2017-Mar 2021 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5721d5f1-1bc1-446b-87d8-28d0b619bcc7"
	],
	"report_names": [
		"listgroups.cgi?u=5721d5f1-1bc1-446b-87d8-28d0b619bcc7"
	],
	"threat_actors": [
		{
			"id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6",
			"created_at": "2022-10-25T16:07:23.869951Z",
			"updated_at": "2026-04-10T02:00:04.766204Z",
			"deleted_at": null,
			"main_name": "Mikroceen",
			"aliases": [
				"SixLittleMonkeys"
			],
			"source_name": "ETDA:Mikroceen",
			"tools": [
				"AngryRebel",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Microcin",
				"Mikroceen",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"PCRat",
				"logon.dll",
				"logsupport.dll",
				"pcaudit.bat",
				"sqllauncher.dll"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775791842,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a235bf2237f234d0f11c29ed2520d225adc12b40.pdf",
		"text": "https://archive.orkl.eu/a235bf2237f234d0f11c29ed2520d225adc12b40.txt",
		"img": "https://archive.orkl.eu/a235bf2237f234d0f11c29ed2520d225adc12b40.jpg"
	}
}