{ "id": "46e8835b-23aa-4b84-a2b6-526b028cdfdc", "created_at": "2026-04-06T00:16:24.821218Z", "updated_at": "2026-04-10T03:36:48.044832Z", "deleted_at": null, "sha1_hash": "c37f1fed6d92a0eb65e353fd8935fc7230b64d6f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47688, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:38:37 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool KTLVdoor\r\n Tool: KTLVdoor\r\nNames KTLVdoor\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Trend Micro) KTLVdoor is a highly obfuscated malware that masquerades as different system\r\nutilities, allowing attackers to carry out a variety of tasks including file manipulation,\r\ncommand execution, and remote port scanning.\r\nInformation \u003chttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\u003e\r\nMalpedia\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/elf.ktlv_door\u003e\r\n\u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.ktlv_door\u003e\r\nLast change to this tool card: 27 December 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool KTLVdoor\r\nChanged Name Country Observed\r\nAPT groups\r\n  Earth Lusca 2019-Sep 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d20c09e0-6824-4fcb-9640-61e9e6bc6f80\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d20c09e0-6824-4fcb-9640-61e9e6bc6f80\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d20c09e0-6824-4fcb-9640-61e9e6bc6f80" ], "report_names": [ "listgroups.cgi?u=d20c09e0-6824-4fcb-9640-61e9e6bc6f80" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434584, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c37f1fed6d92a0eb65e353fd8935fc7230b64d6f.pdf", "text": "https://archive.orkl.eu/c37f1fed6d92a0eb65e353fd8935fc7230b64d6f.txt", "img": "https://archive.orkl.eu/c37f1fed6d92a0eb65e353fd8935fc7230b64d6f.jpg" } }