{ "id": "44b8aac8-ad76-420d-8318-627ec641b871", "created_at": "2026-04-06T00:07:24.882665Z", "updated_at": "2026-04-10T13:11:30.533313Z", "deleted_at": null, "sha1_hash": "b91827d4b87708fd9d8306bf2d7adb81411a0a4a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57378, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:50:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DanBot\n Tool: DanBot\nNames DanBot\nCategory Malware\nType Backdoor\nDescription\n(SecureWorks) A first-stage remote access trojan (RAT) that uses DNS and HTTP-based\ncommunication mechanisms and provides basic remote access capability, including the\nabilities to execute arbitrary commands via cmd.exe and to upload and download files.\nDanBot is written in C# using .NET Framework 2.0 and provides basic remote access\ncapabilities. The DNS channel of DanBot's C2 protocol uses both IPv4 A records and\nIPv6 AAAA records for communication. The HTTP channel has evolved slightly since\nthe early 2018 samples but retains common elements throughout.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool DanBot\nChanged Name Country Observed\nAPT groups\n Hexane 2017-Jun 2022\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b730233d-5e3f-4046-af2d-9773b8258a50\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b730233d-5e3f-4046-af2d-9773b8258a50\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b730233d-5e3f-4046-af2d-9773b8258a50\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b730233d-5e3f-4046-af2d-9773b8258a50" ], "report_names": [ "listgroups.cgi?u=b730233d-5e3f-4046-af2d-9773b8258a50" ], "threat_actors": [ { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434044, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b91827d4b87708fd9d8306bf2d7adb81411a0a4a.pdf", "text": "https://archive.orkl.eu/b91827d4b87708fd9d8306bf2d7adb81411a0a4a.txt", "img": "https://archive.orkl.eu/b91827d4b87708fd9d8306bf2d7adb81411a0a4a.jpg" } }