{ "id": "31b76976-ce88-4738-9a5c-90434d4d0d91", "created_at": "2026-04-06T00:17:01.901855Z", "updated_at": "2026-04-10T13:13:05.36205Z", "deleted_at": null, "sha1_hash": "aa35ccb95bf78604be63e4c31cced6479968747f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48708, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:31:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SombRAT\n Tool: SombRAT\nNames SombRAT\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Loader, Tunneling\nDescription\n(BlackBerry) The backdoor delivered by the above-mentioned loaders is a C++\ncompiled executable developed with heavy usage of objects, classes, and interfaces. It\nhas a plugin architecture and basic functionality of a foothold RAT that is mainly used to\ndownload and execute other malicious payloads – either as its own plugins or standalone\nbinaries. It can also perform other simple actions, like collecting system information,\nlisting and killing processes, and uploading files to the C2.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool SombRAT\nChanged Name Country Observed\nAPT groups\n CostaRicto [Unknown] 2017\n UNC2447 [Unknown] 2020\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b43cf22-b949-4c04-9154-c3aa27935935\nPage 1 of 2\n\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b43cf22-b949-4c04-9154-c3aa27935935\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b43cf22-b949-4c04-9154-c3aa27935935\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0b43cf22-b949-4c04-9154-c3aa27935935" ], "report_names": [ "listgroups.cgi?u=0b43cf22-b949-4c04-9154-c3aa27935935" ], "threat_actors": [ { "id": "c72c09b8-81ba-4e6e-9094-cd84ee4bda79", "created_at": "2022-10-25T15:50:23.667393Z", "updated_at": "2026-04-10T02:00:05.344613Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [ "CostaRicto" ], "source_name": "MITRE:CostaRicto", "tools": [ "PowerSploit", "SombRAT", "PsExec", "PS1", "CostaBricks" ], "source_id": "MITRE", "reports": null }, { "id": "b77f9b40-dca7-449d-819e-115cd2295b41", "created_at": "2022-10-25T16:07:23.502671Z", "updated_at": "2026-04-10T02:00:04.63173Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "ETDA:CostaRicto", "tools": [ "CostaBricks", "PowerSploit", "PsExec", "SombRAT", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "115cf618-02a8-42b8-8d25-305292eafedb", "created_at": "2023-11-21T02:00:07.396534Z", "updated_at": "2026-04-10T02:00:03.478259Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "MISPGALAXY:CostaRicto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434621, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa35ccb95bf78604be63e4c31cced6479968747f.pdf", "text": "https://archive.orkl.eu/aa35ccb95bf78604be63e4c31cced6479968747f.txt", "img": "https://archive.orkl.eu/aa35ccb95bf78604be63e4c31cced6479968747f.jpg" } }