{ "id": "36ec11d5-7ef7-41f0-9db8-6051ec4d8b2a", "created_at": "2026-04-06T00:08:36.275401Z", "updated_at": "2026-04-10T13:12:49.554896Z", "deleted_at": null, "sha1_hash": "a9ef7f2793ae29c8cfbd739e2def51df7eb309f8", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49757, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:09:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Pisloader\n Tool: Pisloader\nNames\nPisloader\nRoseam\nCategory Malware\nType Backdoor\nDescription\nPisloader is a malware family that is notable due to its use of DNS as a C2 protocol as\nwell as its use of anti-analysis tactics. It has been used by APT18 and is similar to\nanother malware family, HTTPBrowser, that has been used by the group.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 29 December 2022\nDownload this tool card in JSON format\nAll groups using tool Pisloader\nChanged Name Country Observed\nAPT groups\n APT 18, Dynamite Panda, Wekby 2009-May 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=af42a191-ee67-4870-8f17-1c69177627df\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=af42a191-ee67-4870-8f17-1c69177627df\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=af42a191-ee67-4870-8f17-1c69177627df\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=af42a191-ee67-4870-8f17-1c69177627df" ], "report_names": [ "listgroups.cgi?u=af42a191-ee67-4870-8f17-1c69177627df" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434116, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9ef7f2793ae29c8cfbd739e2def51df7eb309f8.pdf", "text": "https://archive.orkl.eu/a9ef7f2793ae29c8cfbd739e2def51df7eb309f8.txt", "img": "https://archive.orkl.eu/a9ef7f2793ae29c8cfbd739e2def51df7eb309f8.jpg" } }