{
	"id": "596222d7-8ed6-4c05-a4b7-1ae645f9ca7d",
	"created_at": "2026-04-06T00:16:52.924792Z",
	"updated_at": "2026-04-10T03:34:57.691417Z",
	"deleted_at": null,
	"sha1_hash": "b277bdea43338137c61ec309c373b53fc64efad7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53536,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:29:33 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool XMRig\n Tool: XMRig\nNames XMRig\nCategory Tools\nType Miner\nDescription\n(FireEye) XMRIG is an open-source Monero cryptocurrency miner. It has variants for\nCPU, NVIDIA GPU, and AMD GPU mining.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 19 June 2024\nDownload this tool card in JSON format\nAll groups using tool XMRig\nChanged Name Country Observed\nAPT groups\n APT 4, Maverick Panda, Wisp Team 2007-Oct 2018\n APT 41 2012-Jul 2025\nOther groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d713097f-61f3-4e1a-a1a0-c542a23a0999\nPage 1 of 2\n\nPacha Group 2018-May 2019  \r\n3 groups listed (2 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d713097f-61f3-4e1a-a1a0-c542a23a0999\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d713097f-61f3-4e1a-a1a0-c542a23a0999\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d713097f-61f3-4e1a-a1a0-c542a23a0999"
	],
	"report_names": [
		"listgroups.cgi?u=d713097f-61f3-4e1a-a1a0-c542a23a0999"
	],
	"threat_actors": [
		{
			"id": "18bcbaa6-8e7b-43c4-9db7-8b0b315ee5a3",
			"created_at": "2023-01-06T13:46:39.024086Z",
			"updated_at": "2026-04-10T02:00:03.184974Z",
			"deleted_at": null,
			"main_name": "Pacha Group",
			"aliases": [],
			"source_name": "MISPGALAXY:Pacha Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d",
			"created_at": "2024-05-01T02:03:07.943593Z",
			"updated_at": "2026-04-10T02:00:03.795229Z",
			"deleted_at": null,
			"main_name": "BRONZE EDISON",
			"aliases": [
				"APT4 ",
				"DarkSeoul",
				"Maverick Panda ",
				"Salmon Typhoon ",
				"Sodium ",
				"Sykipot ",
				"TG-0623 ",
				"getkys"
			],
			"source_name": "Secureworks:BRONZE EDISON",
			"tools": [
				"Gh0st RAT",
				"Wkysol",
				"ZxPortMap"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2ac8fb39-1ad4-407c-bf51-249751a575ba",
			"created_at": "2023-01-06T13:46:38.337728Z",
			"updated_at": "2026-04-10T02:00:02.933527Z",
			"deleted_at": null,
			"main_name": "SAMURAI PANDA",
			"aliases": [
				"PLA Navy",
				"Wisp Team"
			],
			"source_name": "MISPGALAXY:SAMURAI PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0",
			"created_at": "2023-01-06T13:46:38.667954Z",
			"updated_at": "2026-04-10T02:00:03.061447Z",
			"deleted_at": null,
			"main_name": "APT4",
			"aliases": [
				"PLA Navy",
				"MAVERICK PANDA",
				"BRONZE EDISON",
				"SODIUM",
				"Salmon Typhoon"
			],
			"source_name": "MISPGALAXY:APT4",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c7d9878a-e691-4c6f-81ae-84fb115a1345",
			"created_at": "2022-10-25T16:07:23.359506Z",
			"updated_at": "2026-04-10T02:00:04.556639Z",
			"deleted_at": null,
			"main_name": "APT 41",
			"aliases": [
				"BrazenBamboo",
				"Bronze Atlas",
				"Double Dragon",
				"Earth Baku",
				"G0096",
				"Grayfly",
				"Operation ColunmTK",
				"Operation CuckooBees",
				"Operation ShadowHammer",
				"Red Kelpie",
				"SparklingGoblin",
				"TA415",
				"TG-2633"
			],
			"source_name": "ETDA:APT 41",
			"tools": [
				"9002 RAT",
				"ADORE.XSEC",
				"ASPXSpy",
				"ASPXTool",
				"AceHash",
				"Agent.dhwf",
				"Agentemis",
				"AndroidControl",
				"AngryRebel",
				"AntSword",
				"BLUEBEAM",
				"Barlaiy",
				"BlackCoffee",
				"Bladabindi",
				"BleDoor",
				"CCleaner Backdoor",
				"CHINACHOPPER",
				"COLDJAVA",
				"China Chopper",
				"ChyNode",
				"Cobalt Strike",
				"CobaltStrike",
				"Crackshot",
				"CrossWalk",
				"CurveLast",
				"CurveLoad",
				"DAYJOB",
				"DBoxAgent",
				"DEADEYE",
				"DEADEYE.APPEND",
				"DEADEYE.EMBED",
				"DEPLOYLOG",
				"DIRTCLEANER",
				"DUSTTRAP",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"DodgeBox",
				"DragonEgg",
				"ELFSHELF",
				"EasyNight",
				"Farfli",
				"FunnySwitch",
				"Gh0st RAT",
				"Ghost RAT",
				"HDD Rootkit",
				"HDRoot",
				"HKDOOR",
				"HOMEUNIX",
				"HUI Loader",
				"HidraQ",
				"HighNoon",
				"HighNote",
				"Homux",
				"Hydraq",
				"Jorik",
				"Jumpall",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"LATELUNCH",
				"LOLBAS",
				"LOLBins",
				"LightSpy",
				"Living off the Land",
				"Lowkey",
				"McRAT",
				"MdmBot",
				"MessageTap",
				"Meterpreter",
				"Mimikatz",
				"MoonBounce",
				"MoonWalk",
				"Motnug",
				"Moudour",
				"Mydoor",
				"NTDSDump",
				"PACMAN",
				"PCRat",
				"PINEGROVE",
				"PNGRAT",
				"POISONPLUG",
				"POISONPLUG.SHADOW",
				"POTROAST",
				"PRIVATELOG",
				"PipeMon",
				"PlugX",
				"PortReuse",
				"ProxIP",
				"ROCKBOOT",
				"RbDoor",
				"RedDelta",
				"RedXOR",
				"RibDoor",
				"Roarur",
				"RouterGod",
				"SAGEHIRE",
				"SPARKLOG",
				"SQLULDR2",
				"STASHLOG",
				"SWEETCANDLE",
				"ScrambleCross",
				"Sensocode",
				"SerialVlogger",
				"ShadowHammer",
				"ShadowPad Winnti",
				"SinoChopper",
				"Skip-2.0",
				"SneakCross",
				"Sogu",
				"Speculoos",
				"Spyder",
				"StealthReacher",
				"StealthVector",
				"TERA",
				"TIDYELF",
				"TIGERPLUG",
				"TOMMYGUN",
				"TVT",
				"Thoper",
				"Voldemort",
				"WIDETONE",
				"WINNKIT",
				"WINTERLOVE",
				"Winnti",
				"WyrmSpy",
				"X-Door",
				"XDOOR",
				"XMRig",
				"XShellGhost",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"gresim",
				"njRAT",
				"pwdump",
				"xDll"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337",
			"created_at": "2022-10-25T16:07:23.318008Z",
			"updated_at": "2026-04-10T02:00:04.539063Z",
			"deleted_at": null,
			"main_name": "APT 4",
			"aliases": [
				"APT 4",
				"Bronze Edison",
				"Maverick Panda",
				"Salmon Typhoo",
				"Sodium",
				"Sykipot",
				"TG-0623",
				"Wisp Team"
			],
			"source_name": "ETDA:APT 4",
			"tools": [
				"Getkys",
				"Sykipot",
				"Wkysol",
				"XMRig"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "484c5fed-029e-4504-b75a-bbdbc9460595",
			"created_at": "2022-10-25T16:07:24.529893Z",
			"updated_at": "2026-04-10T02:00:05.02425Z",
			"deleted_at": null,
			"main_name": "Pacha Group",
			"aliases": [],
			"source_name": "ETDA:Pacha Group",
			"tools": [
				"Antd",
				"DDG",
				"GreedyAntd",
				"Korkerds",
				"XMRig"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434612,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b277bdea43338137c61ec309c373b53fc64efad7.pdf",
		"text": "https://archive.orkl.eu/b277bdea43338137c61ec309c373b53fc64efad7.txt",
		"img": "https://archive.orkl.eu/b277bdea43338137c61ec309c373b53fc64efad7.jpg"
	}
}