{
	"id": "f62fb15e-24fc-476d-9e96-f1a077d13664",
	"created_at": "2026-04-06T00:19:30.521664Z",
	"updated_at": "2026-04-10T03:34:28.257971Z",
	"deleted_at": null,
	"sha1_hash": "b296d16d33c2167e853885c1ccc4540cdef8a598",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49407,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:49:42 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cryptmerlin\r\n Tool: Cryptmerlin\r\nNames Cryptmerlin\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Trend Micro) Attackers used the DLL sideloading technique on the target machine to launch\r\nCryptmerlin, a customized backdoor based on an open-source malware, Merlin Agent, written\r\nin Golang. Unlike the original Merlin Agent, Cryptmerlin currently only implements the\r\nExecuteCommand function, which will communicate to the C\u0026C server via HTTP/HTTPS\r\nrequest. To lower the security warning on the infected machine, Cryptmerlin can also\r\ncommunicate with the C\u0026C server over proxy server, with the information of the victim’s\r\ninternal proxy also embedded in the config.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\u003e\r\nLast change to this tool card: 26 December 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool Cryptmerlin\r\nChanged Name Country Observed\r\nAPT groups\r\n  Salt Typhoon, GhostEmperor 2020-Feb 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c822bea5-3bc1-47dc-82a0-e0f9d5d4cddb\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c822bea5-3bc1-47dc-82a0-e0f9d5d4cddb\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c822bea5-3bc1-47dc-82a0-e0f9d5d4cddb"
	],
	"report_names": [
		"listgroups.cgi?u=c822bea5-3bc1-47dc-82a0-e0f9d5d4cddb"
	],
	"threat_actors": [
		{
			"id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6",
			"created_at": "2022-10-25T16:07:23.605611Z",
			"updated_at": "2026-04-10T02:00:04.685162Z",
			"deleted_at": null,
			"main_name": "FamousSparrow",
			"aliases": [
				"Earth Estries"
			],
			"source_name": "ETDA:FamousSparrow",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633",
			"created_at": "2023-11-04T02:00:07.676869Z",
			"updated_at": "2026-04-10T02:00:03.389898Z",
			"deleted_at": null,
			"main_name": "Earth Estries",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Estries",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434770,
	"ts_updated_at": 1775792068,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b296d16d33c2167e853885c1ccc4540cdef8a598.pdf",
		"text": "https://archive.orkl.eu/b296d16d33c2167e853885c1ccc4540cdef8a598.txt",
		"img": "https://archive.orkl.eu/b296d16d33c2167e853885c1ccc4540cdef8a598.jpg"
	}
}