{ "id": "5f48e6b9-9468-4307-a02a-bd601aae2325", "created_at": "2026-04-06T00:21:42.685097Z", "updated_at": "2026-04-10T03:34:16.019467Z", "deleted_at": null, "sha1_hash": "c0230af91a532d3d5f3d2d653b513cebc27e6071", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53059, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:48:27 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CrossRAT\n Tool: CrossRAT\nNames\nCrossRAT\nTrupto\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(The Hacker News) CrossRAT is a cross-platform remote access Trojan that can target\nall four popular desktop operating systems, Windows, Solaris, Linux, and macOS,\nenabling remote attackers to manipulate the file system, take screenshots, run arbitrary\nexecutables, and gain persistence on the infected systems.\nAccording to researchers, Dark Caracal hackers do not rely on any 'zero-day exploits' to\ndistribute its malware; instead, it uses basic social engineering via posts on Facebook\ngroups and WhatsApp messages, encouraging users to visit hackers-controlled fake\nwebsites and download malicious applications.\nCrossRAT is written in Java programming language, making it easy for reverse\nengineers and researchers to decompile it.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool CrossRAT\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e267dbe-3c07-4764-9025-ab927fe63841\nPage 1 of 2\n\nAPT groups\r\n  Dark Caracal 2007-Jun 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e267dbe-3c07-4764-9025-ab927fe63841\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e267dbe-3c07-4764-9025-ab927fe63841\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e267dbe-3c07-4764-9025-ab927fe63841" ], "report_names": [ "listgroups.cgi?u=1e267dbe-3c07-4764-9025-ab927fe63841" ], "threat_actors": [ { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434902, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0230af91a532d3d5f3d2d653b513cebc27e6071.pdf", "text": "https://archive.orkl.eu/c0230af91a532d3d5f3d2d653b513cebc27e6071.txt", "img": "https://archive.orkl.eu/c0230af91a532d3d5f3d2d653b513cebc27e6071.jpg" } }