{ "id": "f4021e9f-074c-41ba-aa92-2eb7f7a5f0fa", "created_at": "2026-04-06T00:10:00.528833Z", "updated_at": "2026-04-10T13:11:59.725329Z", "deleted_at": null, "sha1_hash": "c76498620a3adf5c0c2a106abfae0197f2418e7a", "title": "NjRAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 289536, "plain_text": "NjRAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:43:56 UTC\r\nNjRAT\r\naka: Bladabindi, Lime-Worm\r\nActor(s): AQUATIC PANDA, Earth Lusca, Operation C-Major, The Gorgon Group\r\nURLhaus      \r\nRedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access\r\nthe victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the\r\nvictim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update,\r\nuninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command \u0026 Control (CnC)\r\nserver software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be\r\nbackdoored.\r\nReferences\r\n2026-02-02 ⋅ Netresec ⋅\r\nnjRAT runs MassLogger\r\nMASS Logger NjRAT\r\n2025-08-26 ⋅ Recorded Future ⋅ Insikt Group\r\nTAG-144’s Persistent Grip on South American Organizations\r\nAsyncRAT BitRAT DCRat LimeRAT NjRAT PureCrypter Quasar RAT Remcos\r\n2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat\r\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT\r\nWarmCookie XWorm\r\n2025-04-28 ⋅ Netresec ⋅ Erik Hjelmvik\r\nDecoding njRAT traffic with NetworkMiner\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 1 of 9\n\nNjRAT\r\n2025-03-11 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nBlind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks\r\nAsyncRAT NjRAT Quasar RAT Remcos\r\n2025-02-12 ⋅ Red Canary ⋅ Phil Hagen, Tony Lambert\r\nDefying tunneling: A Wicked approach to detecting malicious network traffic\r\nAsyncRAT DCRat NjRAT XWorm\r\n2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot\r\nDCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc\r\n2024-08-09 ⋅ BreachNova ⋅ Osama Ellahi\r\nFull analysis on NJRAT\r\nNjRAT\r\n2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver\r\n2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017\r\nFoxit PDF “Flawed Design” Exploitation\r\nRafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT\r\nXWorm\r\n2024-03-19 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nMalware Analysis NjRat\r\nNjRAT\r\n2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q4 2023\r\nFluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer\r\nMeterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys\r\nSliver\r\n2023-11-22 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nPractical Queries for Malware Infrastructure - Part 3 (Advanced Examples)\r\nBianLian Xtreme RAT NjRAT QakBot RedLine Stealer Remcos\r\n2023-11-21 ⋅ Medium infoSec Write-ups ⋅ JustAnother-Engineer\r\nUnmasking NJRat: A Deep Dive into a Notorious Remote Access Trojan Part1\r\nNjRAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 2 of 9\n\n2023-10-21 ⋅ Infosec Writeups ⋅ Osama Ellahi\r\nMalware analysis NJ RAT 0.7NC \u0026 0.6.4\r\nNjRAT\r\n2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2023\r\nFluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot\r\nQuasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar\r\n2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2023\r\nHydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT\r\nQakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee\r\n2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q1 2023\r\nFluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT\r\nQakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar\r\n2023-04-10 ⋅ Check Point ⋅ Check Point\r\nMarch 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute\r\nMalicious OneNote Files\r\nAgent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee\r\n2023-03-15 ⋅ Lab52 ⋅ Lab52\r\nAPT-C-36: from NjRAT to LimeRAT\r\nAsyncRAT NjRAT\r\n2023-01-17 ⋅ Trend Micro ⋅ Aliakbar Zahravi, Peter Girnus\r\nEarth Bogle: Campaigns Target the Middle East with Geopolitical Lures\r\nNjRAT\r\n2022-12-24 ⋅ di.sclosu.re ⋅ di.sclosu.re\r\nnjRAT malware spreading through Discord CDN and Facebook Ads\r\nNjRAT\r\n2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm\r\n2022-08-18 ⋅ Proofpoint ⋅ Joe Wise, Proofpoint Threat Research Team, Selena Larson\r\nReservations Requested: TA558 Targets Hospitality and Travel\r\nAsyncRAT Loda NjRAT Ozone RAT Revenge RAT Vjw0rm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 3 of 9\n\n2022-08-17 ⋅ ⋅ 360 ⋅ 360 Threat Intelligence Center\r\nKasablanka organizes attacks against political groups and non-profit organizations in the Middle East\r\nSpyNote Loda Nanocore RAT NjRAT\r\n2022-08-12 ⋅ Brandefense ⋅ Brandefense\r\nMythic Leopard APT Group\r\nCrimson RAT DarkComet NjRAT Oblique RAT Peppy RAT\r\n2022-05-12 ⋅ Morphisec ⋅ Hido Cohen\r\nNew SYK Crypter Distributed Via Discord\r\nAsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer\r\n2022-05-09 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nDirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains\r\nDCRat NjRAT\r\n2022-03-23 ⋅ ⋅ EcuCert ⋅ EcuCert\r\nAPT-C-36 Advanced Persistent Threat Campaign Could be present in Ecuador\r\nNjRAT APT-C-36\r\n2022-03-09 ⋅ Lab52 ⋅ Lab52\r\nVery very lazy Lazyscripter’s scripts: double compromise in a single obfuscation\r\nNjRAT\r\n2022-02-08 ⋅ Intel 471 ⋅ Intel 471\r\nPrivateLoader: The first step in many malware schemes\r\nDridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos\r\nSmokeLoader STOP Tofsee TrickBot Vidar\r\n2022-02-03 ⋅ forensicitguy ⋅ Tony Lambert\r\nnjRAT Installed from a MSI\r\nNjRAT\r\n2022-01-12 ⋅ Cyber And Ramen blog ⋅ Mike R\r\nAnalysis of njRAT PowerPoint Macros\r\nNjRAT\r\n2021-11-30 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV\r\nJust another analysis of the njRAT malware – A step-by-step approach\r\nNjRAT\r\n2021-11-29 ⋅ Trend Micro ⋅ Jaromír Hořejší\r\nCampaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites\r\nAsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos\r\n2021-11-11 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nHTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 4 of 9\n\nattacks\r\nAsyncRAT Mekotio NjRAT\r\n2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT\r\nAPT attacks on industrial organizations in H1 2021\r\n8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad\r\nZebrocy\r\n2021-10-15 ⋅ ESET Research ⋅ ESET Research\r\nTweet on a malicious campaign targeting governmental and education entities in Colombia using multiple\r\nstages to drop AsyncRAT or njRAT Keylogger on their victims\r\nAsyncRAT NjRAT\r\n2021-09-20 ⋅ Trend Micro ⋅ Aliakbar Zahravi, William Gamazo Sanchez\r\nWater Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads\r\nAve Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT\r\n2021-09-16 ⋅ Cisco ⋅ Tiago Pereira, Vitor Ventura\r\nOperation Layover: How we tracked an attack on the aviation industry to five years of compromise\r\nAsyncRAT Houdini NjRAT\r\n2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nAPT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)\r\nAsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos\r\n2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nAPT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs\r\nAsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos\r\n2021-08-19 ⋅ Talos ⋅ Asheer Malhotra, Vanja Svajcer, Vitor Ventura\r\nMalicious Campaign Targets Latin America: The seller, The operator and a curious link\r\nAsyncRAT NjRAT\r\n2021-07-30 ⋅ Menlo Security ⋅ MENLO Security\r\nISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign\r\nAsyncRAT NjRAT\r\n2021-07-12 ⋅ Cipher Tech Solutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 5 of 9\n\n2021-07-09 ⋅ Seqrite ⋅ Chaitanya Haritash, Nihar Deshpande, Shayak Tarafdar\r\nSeqrite uncovers second wave of Operation SideCopy targeting Indian critical infrastructure PSUs\r\nNjRAT ReverseRAT\r\n2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal (Network IOCs)\r\nAllaKore Lilith NjRAT\r\n2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal (IOCs)\r\nAllaKore Lilith NjRAT\r\n2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal\r\nAllaKore Lilith NjRAT\r\n2021-07-07 ⋅ Talos Intelligence ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal\r\nAllaKore NjRAT SideCopy\r\n2021-07-02 ⋅ Cisco ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal\r\nAllaKore CetaRAT Lilith NjRAT ReverseRAT\r\n2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Manohar Ghule, Mohd Sadique\r\nCatching RATs Over Custom Protocols Analysis of top non-HTTP/S threats\r\nAgent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar\r\nRAT Remcos\r\n2021-04-21 ⋅ Facebook ⋅ David Agranovich, Mike Dvilyanski\r\nTaking Action Against Hackers in Palestine\r\nSpyNote Houdini NjRAT\r\n2021-03-22 ⋅ K7 Security ⋅ Mary Muthu Francisca\r\nMalSpam Campaigns Download njRAT from Paste Sites\r\nNjRAT\r\n2021-03-21 ⋅ Blackberry ⋅ Blackberry Research\r\n2021 Threat Report\r\nBashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth\r\nBazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader\r\nTrickBot\r\n2021-02-25 ⋅ Intezer ⋅ Intezer\r\nYear of the Gopher A 2020 Go Malware Round-Up\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 6 of 9\n\nNiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim\r\nNjRAT Quasar RAT WellMess Zebrocy\r\n2021-01-11 ⋅ ESET Research ⋅ Matías Porolli\r\nOperation Spalax: Targeted malware attacks in Colombia\r\nAgent Tesla AsyncRAT NjRAT Remcos\r\n2021-01-05 ⋅ ⋅ Sangfor ⋅ Clairvoyance Safety Laboratory\r\nAttack from Mustang Panda? My rabbit is back!\r\nNjRAT\r\n2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW\r\n2020: The year in malware\r\nWolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT\r\nNanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader\r\n2020-12-10 ⋅ Intel 471 ⋅ Intel 471\r\nNo pandas, just people: The current state of China’s cybercrime underground\r\nAnubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT\r\n2020-12-09 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Haozhe Zhang, Yanhui Jia\r\nnjRAT Spreading Through Active Pastebin Command and Control Tunnel\r\nNjRAT\r\n2020-12-01 ⋅ sonatype ⋅ Ax Sharma\r\nThere’s a RAT in my code: new npm malware with Bladabindi trojan spotted\r\nNjRAT\r\n2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nFake Microsoft Teams updates lead to Cobalt Strike deployment\r\nCobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader\r\n2020-10-26 ⋅ ⋅ 360 Core Security ⋅ 360\r\n北非狐(APT-C-44)攻击活动揭露\r\nXtreme RAT Houdini NjRAT Revenge RAT\r\n2020-09-21 ⋅ Trend Micro ⋅ Raphael Centeno\r\nCybercriminals Distribute Backdoor With VPN Installer\r\nNjRAT\r\n2020-09-01 ⋅ nviso ⋅ Bart Parys, Didier Stevens, Dries Boone, Maxime Thiebaut, Michel Coene\r\nEpic Manchego – atypical maldoc delivery brings flurry of infostealers\r\nAzorult NjRAT\r\n2020-08-19 ⋅ ⋅ AhnLab ⋅ AhnLab ASEC 분석팀\r\n국내 유명 웹하드를 통해 유포되는 njRAT 악성코드\r\nNjRAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 7 of 9\n\n2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT\r\nStealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer\r\nRemcos Zloader\r\n2020-07-29 ⋅ ESET Research ⋅ welivesecurity\r\nTHREAT REPORT Q2 2020\r\nDEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB\r\nLocker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze\r\nMicrocin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor\r\n2020-06-22 ⋅ Anurag\r\nnjRat Malware Analysis\r\nNjRAT\r\n2020-05-14 ⋅ SophosLabs ⋅ Markel Picado\r\nRATicate: an attacker’s waves of information-stealing malware\r\nAgent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos\r\n2020-01-31 ⋅ ReversingLabs ⋅ Robert Simmons\r\nRATs in the Library: Remote Access Trojans Hide in Plain \"Public\" Site\r\nCyberGate LimeRAT NjRAT Quasar RAT Revenge RAT\r\n2020-01-01 ⋅ Dragos ⋅ Joe Slowik\r\nThreat Intelligence and the Limits of Malware Analysis\r\nExaramel Exaramel Industroyer Lookback NjRAT PlugX\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nCOPPER FIELDSTONE\r\nCrimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major\r\n2019-12-24 ⋅ Github (itsKindred) ⋅ Derek Kleinhen\r\nBashar Bachir Infection Chain Analysis\r\nNjRAT\r\n2019-09-26 ⋅ Proofpoint ⋅ Bryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team\r\nNew WhiteShadow downloader uses Microsoft SQL to retrieve malware\r\nWhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos\r\n2019-09-23 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nAPT41\r\nDerusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi\r\nEmpire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 8 of 9\n\n2019-08-30 ⋅ Github (threatland) ⋅ ThreatLand\r\nnjRAT builders\r\nNjRAT\r\n2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2019\r\nZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger\r\nHOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy\r\n2019-03-25 ⋅ ⋅ 360 Core Security ⋅ zhanghao-ms\r\nPatting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization\r\nHoudini NjRAT\r\n2018-08-02 ⋅ Palo Alto Networks Unit 42 ⋅ David Fuertes, Josh Grunzweig, Kyle Wilhoit, Robert Falcone\r\nThe Gorgon Group: Slithering Between Nation State and Cybercrime\r\nLoki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT\r\n2018-07-23 ⋅ ⋅ 360 Threat Intelligence ⋅ Qi Anxin Threat Intelligence Center\r\nGolden Rat Organization-targeted attack in Syria\r\nNjRAT APT-C-27\r\n2016-11-30 ⋅ Fortinet ⋅ Lilia Elena Gonzalez Medina\r\nBladabindi Remains A Constant Threat By Using Dynamic DNS Services\r\nNjRAT\r\n2016-10-26 ⋅ Unknown ⋅ Chris Doman\r\nMoonlight – Targeted attacks in the Middle East\r\nHoudini NjRAT Molerats\r\n2015-01-22 ⋅ Trend Micro ⋅ Michael Marcos\r\nNew RATs Emerge from Leaked Njw0rm Source Code\r\nNjRAT\r\nYara Rules\r\n[TLP:WHITE] win_njrat_w1 (20170517 | Identify njRat)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.njrat\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat" ], "report_names": [ "win.njrat" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "4f5da0b4-5d47-4ae4-87cb-dfcb3c3524ae", "created_at": "2022-10-25T16:07:23.96921Z", "updated_at": "2026-04-10T02:00:04.812941Z", "deleted_at": null, "main_name": "Operation Layover", "aliases": [], "source_name": "ETDA:Operation Layover", "tools": [ "AsyncRAT", "Bladabindi", "CyberGate", "CyberGate RAT", "Jorik", "Rebhip", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d", "created_at": "2023-01-06T13:46:38.760807Z", "updated_at": "2026-04-10T02:00:03.091254Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [], "source_name": "MISPGALAXY:ZooPark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "19935e32-f1a5-462d-8934-8b1c3bf3b5f2", "created_at": "2022-10-25T16:07:23.36465Z", "updated_at": "2026-04-10T02:00:04.565476Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "G0143" ], "source_name": "ETDA:Aquatic Panda", "tools": [ "Agentemis", "Bladabindi", "Cobalt Strike", "CobaltStrike", "Fishmaster", "JollyJellyfish", "Jorik", "cobeacon", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "d4135989-e577-4133-bdae-a24243c832a4", "created_at": "2023-11-05T02:00:08.068657Z", "updated_at": "2026-04-10T02:00:03.396218Z", "deleted_at": null, "main_name": "Kasablanka", "aliases": [], "source_name": "MISPGALAXY:Kasablanka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b20281dd-8cc4-4284-b85c-f98c7e09ae48", "created_at": "2022-10-25T15:50:23.642844Z", "updated_at": "2026-04-10T02:00:05.392724Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "LazyScripter" ], "source_name": "MITRE:LazyScripter", "tools": [ "Remcos", "QuasarRAT", "njRAT", "ngrok", "Koadic", "KOCTOPUS" ], "source_id": "MITRE", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c2cc9aa5-1853-4de1-8849-cb3f28c7728e", "created_at": "2022-10-25T16:07:24.256045Z", "updated_at": "2026-04-10T02:00:04.912815Z", "deleted_at": null, "main_name": "Goldmouse", "aliases": [ "APT-C-27", "ATK 80", "Golden Rat", "Goldmouse" ], "source_name": "ETDA:Goldmouse", "tools": [ "Bladabindi", "GoldenRAT", "Jorik", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2c385a7d-0217-46d8-a451-29ac6fe58aaf", "created_at": "2023-01-06T13:46:38.937468Z", "updated_at": "2026-04-10T02:00:03.151838Z", "deleted_at": null, "main_name": "APT-C-27", "aliases": [ "Golden RAT", "ATK80", "GoldMouse" ], "source_name": "MISPGALAXY:APT-C-27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0769c188-62ce-44ee-8e9d-1067f3d3c083", "created_at": "2022-10-25T16:07:24.259063Z", "updated_at": "2026-04-10T02:00:04.913621Z", "deleted_at": null, "main_name": "Pat Bear", "aliases": [ "APT-C-37", "Pat Bear", "Racquet Bear" ], "source_name": "ETDA:Pat Bear", "tools": [ "Bladabindi", "CypherRat", "DroidJack", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Jorik", "Kognito", "Njw0rm", "SSLove RAT", "SpyNote", "SpyNote RAT", "WSHRAT", "dinihou", "dunihi", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "712fc9fa-4283-431b-882c-5e0de9c12452", "created_at": "2022-10-25T16:07:23.770209Z", "updated_at": "2026-04-10T02:00:04.745132Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "G0140" ], "source_name": "ETDA:LazyScripter", "tools": [ "Adwind", "Adwind RAT", "Alien Spy", "AlienSpy", "Bladabindi", "CinaRAT", "EmPyre", "EmpireProject", "Empoder", "Frutas", "Gussdoor", "Invoke-Ngrok", "JBifrost RAT", "JSocket", "Jorik", "KOCTOPUS", "Koadic", "Luminosity RAT", "LuminosityLink", "Nishang", "PowerShell Empire", "Quasar RAT", "QuasarRAT", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "RuRAT", "Sockrat", "Socmer", "Trojan.Maljava", "UnReCoM", "Unknown RAT", "Unrecom", "Yggdrasil", "jBiFrost", "jConnectPro RAT", "jFrutas", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6", "created_at": "2022-10-25T16:07:24.435275Z", "updated_at": "2026-04-10T02:00:04.988022Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [ "APT-C-38", "Cobalt Juno", "Saber Lion", "TG-2884" ], "source_name": "ETDA:ZooPark", "tools": [ "ZooPark" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3eea09-ce30-4cfa-ae3a-b5992c4b81f8", "created_at": "2022-10-25T15:50:23.441443Z", "updated_at": "2026-04-10T02:00:05.263145Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "Aquatic Panda" ], "source_name": "MITRE:Aquatic Panda", "tools": [ "Wevtutil", "Winnti for Windows", "njRAT", "Cobalt Strike", "ShadowPad", "Winnti for Linux" ], "source_id": "MITRE", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434200, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c76498620a3adf5c0c2a106abfae0197f2418e7a.pdf", "text": "https://archive.orkl.eu/c76498620a3adf5c0c2a106abfae0197f2418e7a.txt", "img": "https://archive.orkl.eu/c76498620a3adf5c0c2a106abfae0197f2418e7a.jpg" } }