{ "id": "b2eca69e-8ae4-42e3-8ff5-b78a12805a81", "created_at": "2026-04-06T00:14:47.504194Z", "updated_at": "2026-04-10T03:30:57.827549Z", "deleted_at": null, "sha1_hash": "a923b80376d9e01942ba4dd6f797a2ede7f6bdeb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62207, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:55:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Remcom\n Tool: Remcom\nNames\nRemcom\nRemoteCommandExecution\nCategory Tools\nType Backdoor, Remote command\nDescription\nRemCom is an open-source, redistributable utility providing the same remote management\nfunctions. It achieved a level of notoriety after adversaries used it to move laterally in their\nattack on the Democratic National Committee in 2016. However, it’s also included in several\nlegitimate software packages. By default, RemCom sends RemComSvc.exe to a remote\ncomputer, which then uses the named pipe \\\\.\\pipe\\remcom_comunication (misspelling and all)\nin the place of PsExec’s named pipe. In addition, the process’s internal name has a value of\nremcom.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Remcom\nChanged Name Country Observed\nAPT groups\n ALPHV, BlackCat Gang [Unknown] 2021-Mar 2024\n Chafer, APT 39 2014-Sep 2020\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36ef119d-9261-4c84-ade0-694c3c86428e\nPage 1 of 2\n\nDalbit 2022  \r\n3 groups listed (3 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36ef119d-9261-4c84-ade0-694c3c86428e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36ef119d-9261-4c84-ade0-694c3c86428e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=36ef119d-9261-4c84-ade0-694c3c86428e" ], "report_names": [ "listgroups.cgi?u=36ef119d-9261-4c84-ade0-694c3c86428e" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434487, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a923b80376d9e01942ba4dd6f797a2ede7f6bdeb.pdf", "text": "https://archive.orkl.eu/a923b80376d9e01942ba4dd6f797a2ede7f6bdeb.txt", "img": "https://archive.orkl.eu/a923b80376d9e01942ba4dd6f797a2ede7f6bdeb.jpg" } }