{ "id": "936354f7-a34b-4b2c-97d6-3fae7d99b7ab", "created_at": "2026-04-06T00:09:45.180982Z", "updated_at": "2026-04-10T03:35:52.995726Z", "deleted_at": null, "sha1_hash": "bd3e350a8df3b4cdf9b7bc2b8f37035a4ee3078a", "title": "NetSupport Manager - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53740, "plain_text": "NetSupport Manager - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 16:02:59 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NetSupport Manager\n Tool: NetSupport Manager\nNames\nNetSupport Manager\nNetSupport Manager RAT\nNetSupportManager RAT\nNetSupport RAT\nNetSupport\nCategory Tools\nType Backdoor\nDescription\n(Palo Alto) This RAT is typically used for legitimate purposes allowing administrators remote\naccess to client computers. However, malicious operators are installing the RAT to victim’s\nsystems allowing them to gain unauthorized access. The use of this NetSupport Manager RAT\nfor unauthorized access has been observed in phishing campaigns since at least 2018.\nInformation\nMalpedia Last change to this tool card: 27 August 2024\nDownload this tool card in JSON format\nAll groups using tool NetSupport Manager\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=78c4aab3-63f3-4238-9ca9-5f9e07b2a871\nPage 1 of 2\n\nAPT groups\r\n  FIN7 2013-Jul 2024\r\nOther groups\r\n  CoralRaider 2023-Feb 2024  \r\n  Scully Spider, TA547 [Unknown] 2017-Mar 2024  \r\n  TA511 [Unknown] 2018-Oct 2020  \r\n4 groups listed (1 APT, 3 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=78c4aab3-63f3-4238-9ca9-5f9e07b2a871\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=78c4aab3-63f3-4238-9ca9-5f9e07b2a871\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=78c4aab3-63f3-4238-9ca9-5f9e07b2a871" ], "report_names": [ "listgroups.cgi?u=78c4aab3-63f3-4238-9ca9-5f9e07b2a871" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-10T02:00:03.616114Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-10T02:00:05.001393Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd3e350a8df3b4cdf9b7bc2b8f37035a4ee3078a.pdf", "text": "https://archive.orkl.eu/bd3e350a8df3b4cdf9b7bc2b8f37035a4ee3078a.txt", "img": "https://archive.orkl.eu/bd3e350a8df3b4cdf9b7bc2b8f37035a4ee3078a.jpg" } }