{ "id": "4a6e4576-c6f7-4cb1-83ea-37b5e06e7ed0", "created_at": "2026-04-06T00:10:15.166879Z", "updated_at": "2026-04-10T03:32:35.159134Z", "deleted_at": null, "sha1_hash": "aa1de4ba2daf18d87a777e5c5c466c020fa2383d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52130, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:43:18 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Icefog\r\n Tool: Icefog\r\nNames\r\nIcefog\r\nFucobha\r\nCategory Malware\r\nType Backdoor, Info stealer\r\nDescription\r\n(Kaspersky) The “Icefog” backdoor set (also known as “Fucobha”) is an interactive\r\nespionage tool that is directly controlled by the attackers. There are versions for both\r\nMicrosoft Windows and Mac OS X. In its latest incarnation, Icefog doesn’t automatically\r\nexfiltrate data, instead, it is operated by the attackers to perform actions directly on the\r\nvictim’s live systems.\r\nInformation\r\n\u003chttps://media.kaspersky.com/en/icefog-apt-threat.pdf\u003e\r\n\u003chttp://www.kz-cert.kz/page/502\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.icefog\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:ICEFOG\u003e\r\nLast change to this tool card: 13 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Icefog\r\nChanged Name Country Observed\r\nAPT groups\r\n  Icefog, Dagger Panda 2011-2018/2019  \r\n  RedFoxtrot 2014-Aug 2021  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=923f2526-abf4-4ccd-9341-afc86e2b21e8\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=923f2526-abf4-4ccd-9341-afc86e2b21e8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=923f2526-abf4-4ccd-9341-afc86e2b21e8\r\nPage 2 of 2\n\n Icefog, RedFoxtrot Dagger Panda 2011-2018/2019 2014-Aug 2021 \n2 groups listed (2 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=923f2526-abf4-4ccd-9341-afc86e2b21e8" ], "report_names": [ "listgroups.cgi?u=923f2526-abf4-4ccd-9341-afc86e2b21e8" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434215, "ts_updated_at": 1775791955, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa1de4ba2daf18d87a777e5c5c466c020fa2383d.pdf", "text": "https://archive.orkl.eu/aa1de4ba2daf18d87a777e5c5c466c020fa2383d.txt", "img": "https://archive.orkl.eu/aa1de4ba2daf18d87a777e5c5c466c020fa2383d.jpg" } }