{
	"id": "ddc19e02-27cf-4fab-afa8-17ca12b5f87d",
	"created_at": "2026-04-06T15:54:00.931434Z",
	"updated_at": "2026-04-10T13:12:13.577484Z",
	"deleted_at": null,
	"sha1_hash": "a2f9642e4d6d6fe6b213f20f4365d9b42d091694",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49823,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:47:55 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SymonLoader\n Tool: SymonLoader\nNames SymonLoader\nCategory Malware\nType Loader\nDescription\n(Palo Alto) When executed, the loader starts monitoring storage device changes on a\ncompromised machine. If SymonLoader detects the targeted type of secure USB drive, it\nattempts to access the storage through the device driver corresponding to the secure USB\nand checks for strings specific to one type of secure USB in the drive information fields.\nThen, it accesses a predefined location of the storage on the USB and extracts an\nunknown PE file.\nInformation\nAlienVault OTX Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool SymonLoader\nChanged Name Country Observed\nAPT groups\n Bronze Butler, Tick, RedBaldNight, Stalker Panda 2006-Apr 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fbb29314-33cd-4170-9df9-801828cc3742\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fbb29314-33cd-4170-9df9-801828cc3742\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fbb29314-33cd-4170-9df9-801828cc3742"
	],
	"report_names": [
		"listgroups.cgi?u=fbb29314-33cd-4170-9df9-801828cc3742"
	],
	"threat_actors": [
		{
			"id": "bbefc37d-475c-4d4d-b80b-7a55f896de82",
			"created_at": "2022-10-25T15:50:23.571783Z",
			"updated_at": "2026-04-10T02:00:05.302196Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"BRONZE BUTLER",
				"REDBALDKNIGHT"
			],
			"source_name": "MITRE:BRONZE BUTLER",
			"tools": [
				"Mimikatz",
				"build_downer",
				"cmd",
				"ABK",
				"at",
				"BBK",
				"schtasks",
				"down_new",
				"Daserf",
				"ShadowPad",
				"Windows Credential Editor",
				"gsecdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490840,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2f9642e4d6d6fe6b213f20f4365d9b42d091694.pdf",
		"text": "https://archive.orkl.eu/a2f9642e4d6d6fe6b213f20f4365d9b42d091694.txt",
		"img": "https://archive.orkl.eu/a2f9642e4d6d6fe6b213f20f4365d9b42d091694.jpg"
	}
}