{ "id": "a3f11fe2-b143-4722-a38d-890bd60160f3", "created_at": "2026-04-06T00:19:19.708694Z", "updated_at": "2026-04-10T13:11:32.830448Z", "deleted_at": null, "sha1_hash": "a970afd2dece07d24b132420e585b3fd9425fbcb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51779, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:28:47 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DDKONG\n Tool: DDKONG\nNames DDKONG\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) The malware in question is configured with the following three exported\nfunctions:\n• ServiceMain\n• Rundll32Call\n• DllEntryPoint\nThe ServiceMain exported function indicates that this DLL is expected to be loaded as a\nservice. If this function is successfully loaded, it will ultimately spawn a new instance of\nitself with the Rundll32Call export via a call to rundll32.exe.\nThe Rundll32Call exported function begins by creating a named event named\n‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a\ngiven time. If this is the only instance of DDKong running at the time, the malware\ncontinues. If it’s not, it dies. This ensures that only a single instance of DDKong is\nexecuted at a given time.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool DDKONG\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84cd6758-4303-4a23-a102-3853651997fa\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Rancor 2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84cd6758-4303-4a23-a102-3853651997fa\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84cd6758-4303-4a23-a102-3853651997fa\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84cd6758-4303-4a23-a102-3853651997fa" ], "report_names": [ "listgroups.cgi?u=84cd6758-4303-4a23-a102-3853651997fa" ], "threat_actors": [ { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434759, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a970afd2dece07d24b132420e585b3fd9425fbcb.pdf", "text": "https://archive.orkl.eu/a970afd2dece07d24b132420e585b3fd9425fbcb.txt", "img": "https://archive.orkl.eu/a970afd2dece07d24b132420e585b3fd9425fbcb.jpg" } }