{
	"id": "fe5c40ed-d4ca-4e03-9128-77c115b4d90b",
	"created_at": "2026-04-06T00:19:16.857797Z",
	"updated_at": "2026-04-10T13:12:55.644206Z",
	"deleted_at": null,
	"sha1_hash": "c3d6c627e8bcf09091c136393c4b357b582cca01",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49364,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:53:00 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RedAlpha\n Tool: RedAlpha\nNames RedAlpha\nCategory Malware\nType Reconnaissance, Backdoor\nDescription\n(Recorded Future) The RedAlpha campaigns began in mid-2017 by targeting the Tibetan\ncommunity in India. The latest campaign remains ongoing, with new subdomains\nregistered in late April 2018. The threat actor utilized a careful combination of victim\nreconnaissance and fingerprinting, followed by selective targeting with multi-stage\nmalware. The malware utilized changed from a reliable custom toolset in the 2017\ncampaign to a more cautious and spartan approach, ending with commodity malware in\n2018. Observing these two campaigns in succession demonstrates the evolution of a\nrelatively unknown threat actor.\nInformation Malpedia AlienVault OTX Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool RedAlpha\nChanged Name Country Observed\nAPT groups\n RedAlpha 2015-2021\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98c9d065-cb9a-42fd-8a76-1a28764a24d3\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98c9d065-cb9a-42fd-8a76-1a28764a24d3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98c9d065-cb9a-42fd-8a76-1a28764a24d3\r\nPage 2 of 2\n\nAPT groups RedAlpha 2015-2021  \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98c9d065-cb9a-42fd-8a76-1a28764a24d3"
	],
	"report_names": [
		"listgroups.cgi?u=98c9d065-cb9a-42fd-8a76-1a28764a24d3"
	],
	"threat_actors": [
		{
			"id": "9381a9dc-8d8e-453a-9fe5-301136ff0f83",
			"created_at": "2023-01-06T13:46:38.775762Z",
			"updated_at": "2026-04-10T02:00:03.096032Z",
			"deleted_at": null,
			"main_name": "RedAlpha",
			"aliases": [
				"DeepCliff",
				"Red Dev 3"
			],
			"source_name": "MISPGALAXY:RedAlpha",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cc8271a3-471f-4b8c-9da6-7d50f8ccabaa",
			"created_at": "2022-10-25T16:07:24.107066Z",
			"updated_at": "2026-04-10T02:00:04.868213Z",
			"deleted_at": null,
			"main_name": "RedAlpha",
			"aliases": [
				"DeepCliff",
				"Red Dev 3"
			],
			"source_name": "ETDA:RedAlpha",
			"tools": [
				"AngryRebel",
				"Bladabindi",
				"FF-RAT",
				"Farfli",
				"FormerFirstRAT",
				"Gh0st RAT",
				"Ghost RAT",
				"Jorik",
				"Moudour",
				"Mydoor",
				"NetHelp Infostealer",
				"NetHelp Striker",
				"PCRat",
				"RedAlpha",
				"ffrat",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434756,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3d6c627e8bcf09091c136393c4b357b582cca01.pdf",
		"text": "https://archive.orkl.eu/c3d6c627e8bcf09091c136393c4b357b582cca01.txt",
		"img": "https://archive.orkl.eu/c3d6c627e8bcf09091c136393c4b357b582cca01.jpg"
	}
}