{
	"id": "ebe68556-f213-42e4-83d3-42b05d3388eb",
	"created_at": "2026-04-06T00:16:16.992397Z",
	"updated_at": "2026-04-10T03:28:46.403667Z",
	"deleted_at": null,
	"sha1_hash": "b2665fb34333a1073cb039695e461bc4c5a445fc",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47932,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:32:30 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RotBot\n Tool: RotBot\nNames RotBot\nCategory Malware\nType Reconnaissance, Backdoor, Keylogger, Credential stealer, Info stealer, Exfiltration, Tunneling\nDescription\n(Talos) RotBot, the QuasarRAT client variant, in its initial execution phase, performs several\ndetection evasion checks on the victim machine and conducts system reconnaissance. RotBot\nthen connects to a host on a legitimate domain, likely controlled by the threat actor, and\ndownloads the configuration file for the RotBot to connect to the C2. CoralRaider uses the\nTelegram bot as the C2 channel in this campaign.\nInformation Last change to this tool card: 18 June 2024\nDownload this tool card in JSON format\nAll groups using tool RotBot\nChanged Name Country Observed\nOther groups\n CoralRaider 2023-Feb 2024\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=91ca3e5f-03e7-47da-bf4b-b1d8832ae694\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=91ca3e5f-03e7-47da-bf4b-b1d8832ae694\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=91ca3e5f-03e7-47da-bf4b-b1d8832ae694"
	],
	"report_names": [
		"listgroups.cgi?u=91ca3e5f-03e7-47da-bf4b-b1d8832ae694"
	],
	"threat_actors": [
		{
			"id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e",
			"created_at": "2024-04-19T02:00:03.625955Z",
			"updated_at": "2026-04-10T02:00:03.616114Z",
			"deleted_at": null,
			"main_name": "CoralRaider",
			"aliases": [],
			"source_name": "MISPGALAXY:CoralRaider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6a894c24-6f51-4863-9efb-7f1b3133c848",
			"created_at": "2024-06-20T02:02:10.260154Z",
			"updated_at": "2026-04-10T02:00:05.001393Z",
			"deleted_at": null,
			"main_name": "CoralRaider",
			"aliases": [],
			"source_name": "ETDA:CoralRaider",
			"tools": [
				"AsyncRAT",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"Rhadamanthys",
				"Rhadamanthys Stealer",
				"RotBot",
				"XClient"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775791726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2665fb34333a1073cb039695e461bc4c5a445fc.pdf",
		"text": "https://archive.orkl.eu/b2665fb34333a1073cb039695e461bc4c5a445fc.txt",
		"img": "https://archive.orkl.eu/b2665fb34333a1073cb039695e461bc4c5a445fc.jpg"
	}
}