{ "id": "25da9440-979a-4036-bd54-4545d44fbc03", "created_at": "2026-04-06T00:09:00.003414Z", "updated_at": "2026-04-10T13:12:29.306505Z", "deleted_at": null, "sha1_hash": "b5f54bc6895040887943fd4830737da345db478e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51898, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:04:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool pngdowner\n Tool: pngdowner\nNames pngdowner\nCategory Malware\nType Backdoor, Credential stealer\nDescription\n(CrowdStrike) he pngdowner malware is a simple tool constructed using Microsoft\nVisual studio and implemented via single C++ source code file.\nInitially, the malware will perform a connectivity check to a hard-coded URL\n(http://www.microsoft.com), using a constant user agent Mozilla/4.0 (Compatible; MsIE\n6.0;). If this request fails, the malware will attempt to extract proxy details and\ncredentials from Windows Protected storage, and from the IE Credentials store using\npublicly known methods, using the proxy credentials for subsequent requests if they\nenable outbound HTTP access. An initial request is then made to the hard-coded C2\nserver and initial URI – forming a URL of the form (in this sample) http://login.stream-media.net/files/xx11/index.asp?95027775, where the numerical parameter represents a\nrandom integer. A hard-coded user agent of myagent is used for this request, and\nsubsequent communication with the C2 server.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool pngdowner\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37964559-63c8-4384-ad64-fdb22fd4796d\nPage 1 of 2\n\nAPT groups\r\n  Putter Panda, APT 2 2007  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37964559-63c8-4384-ad64-fdb22fd4796d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37964559-63c8-4384-ad64-fdb22fd4796d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37964559-63c8-4384-ad64-fdb22fd4796d" ], "report_names": [ "listgroups.cgi?u=37964559-63c8-4384-ad64-fdb22fd4796d" ], "threat_actors": [ { "id": "abd17060-62f6-4743-95e8-3f23c82cc229", "created_at": "2022-10-25T15:50:23.428772Z", "updated_at": "2026-04-10T02:00:05.365894Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "Putter Panda", "APT2", "MSUpdater" ], "source_name": "MITRE:Putter Panda", "tools": [ "pngdowner", "3PARA RAT", "4H RAT", "httpclient" ], "source_id": "MITRE", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434140, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5f54bc6895040887943fd4830737da345db478e.pdf", "text": "https://archive.orkl.eu/b5f54bc6895040887943fd4830737da345db478e.txt", "img": "https://archive.orkl.eu/b5f54bc6895040887943fd4830737da345db478e.jpg" } }