{
	"id": "4f480c54-0e07-4c8f-a135-5515f7c31106",
	"created_at": "2026-04-06T00:22:03.169121Z",
	"updated_at": "2026-04-10T03:33:46.007884Z",
	"deleted_at": null,
	"sha1_hash": "c05bbd16149139c5af541003b08065c3bf867ffd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52160,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:44:17 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DILLJUICE\r\n Tool: DILLJUICE\r\nNames\r\nDILLJUICE\r\nFYAnti\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Credential stealer, Exfiltration\r\nDescription\r\n(Cylance) QuasarRAT is a lightweight remote administration tool written in C#. It can collect\r\nsystem information, download and execute applications, upload files, log keystrokes, grab\r\nscreenshots/camera captures, retrieve system passwords and run shell commands. The remote\r\naccess Trojan (RAT) is loaded by a bespoke loader (a.k.a. DILLWEED). The encrypted\r\nQuasarRAT payload is stored in the Microsoft.NET directory, decrypted into memory, and\r\ninstantiated using a CLR host application. In later variants an additional component is also\r\nused to install the RAT as a service (a.k.a DILLJUICE).\r\nThe following technical analysis focuses on the bespoke QuasarRAT loader developed by\r\nMenuPass and modifications made to the QuasarRAT backdoor.\r\nInformation\r\n\u003chttps://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool DILLJUICE\r\nChanged Name Country Observed\r\nAPT groups\r\n  Stone Panda, APT 10, menuPass 2006-Mar 2025\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d7ec9af2-2901-4191-a761-4662e997d2a5\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d7ec9af2-2901-4191-a761-4662e997d2a5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d7ec9af2-2901-4191-a761-4662e997d2a5\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d7ec9af2-2901-4191-a761-4662e997d2a5"
	],
	"report_names": [
		"listgroups.cgi?u=d7ec9af2-2901-4191-a761-4662e997d2a5"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "04b07437-41bb-4126-bcbb-def16f19d7c6",
			"created_at": "2022-10-25T16:07:24.232628Z",
			"updated_at": "2026-04-10T02:00:04.906097Z",
			"deleted_at": null,
			"main_name": "Stone Panda",
			"aliases": [
				"APT 10",
				"ATK 41",
				"Bronze Riverside",
				"CTG-5938",
				"CVNX",
				"Cuckoo Spear",
				"Earth Kasha",
				"G0045",
				"G0093",
				"Granite Taurus",
				"Happyyongzi",
				"Hogfish",
				"ITG01",
				"Operation A41APT",
				"Operation Cache Panda",
				"Operation ChessMaster",
				"Operation Cloud Hopper",
				"Operation Cuckoo Spear",
				"Operation New Battle",
				"Operation Soft Cell",
				"Operation TradeSecret",
				"Potassium",
				"Purple Typhoon",
				"Red Apollo",
				"Stone Panda",
				"TA429",
				"menuPass",
				"menuPass Team"
			],
			"source_name": "ETDA:Stone Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Anel",
				"AngryRebel",
				"BKDR_EVILOGE",
				"BKDR_HGDER",
				"BKDR_NVICM",
				"BUGJUICE",
				"CHINACHOPPER",
				"ChChes",
				"China Chopper",
				"Chymine",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"DARKTOWN",
				"DESLoader",
				"DILLJUICE",
				"DILLWEED",
				"Darkmoon",
				"DelfsCake",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Ecipekac",
				"Emdivi",
				"EvilGrab",
				"EvilGrab RAT",
				"FYAnti",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"GreetCake",
				"HAYMAKER",
				"HEAVYHAND",
				"HEAVYPOT",
				"HTran",
				"HUC Packet Transmit Tool",
				"Ham Backdoor",
				"HiddenFace",
				"Impacket",
				"Invoke the Hash",
				"KABOB",
				"Kaba",
				"Korplug",
				"LODEINFO",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MiS-Type",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"NBTscan",
				"NOOPDOOR",
				"Newsripper",
				"P8RAT",
				"PCRat",
				"PlugX",
				"Poison Ivy",
				"Poldat",
				"PowerSploit",
				"PowerView",
				"PsExec",
				"PsList",
				"Quarks PwDump",
				"Quasar RAT",
				"QuasarRAT",
				"RedDelta",
				"RedLeaves",
				"Rubeus",
				"SNUGRIDE",
				"SPIVY",
				"SharpSploit",
				"SigLoader",
				"SinoChopper",
				"SodaMaster",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"UpperCut",
				"Vidgrab",
				"WinRAR",
				"WmiExec",
				"Wmonder",
				"Xamtrav",
				"Yggdrasil",
				"Zlib",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"dfls",
				"lena",
				"nbtscan",
				"pivy",
				"poisonivy",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434923,
	"ts_updated_at": 1775792026,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c05bbd16149139c5af541003b08065c3bf867ffd.pdf",
		"text": "https://archive.orkl.eu/c05bbd16149139c5af541003b08065c3bf867ffd.txt",
		"img": "https://archive.orkl.eu/c05bbd16149139c5af541003b08065c3bf867ffd.jpg"
	}
}