{ "id": "baa6b1d4-ef35-4148-b862-823aea731b44", "created_at": "2026-04-06T01:30:48.709545Z", "updated_at": "2026-04-10T03:29:45.544136Z", "deleted_at": null, "sha1_hash": "c832c46c4652d012d37337e21348aa41bc90deb1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50564, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:27:23 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MysterySnail RAT\n Tool: MysterySnail RAT\nNames\nMysterySnail RAT\nMysterySnail\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Kaspersky) Our deep dive into the MysterySnail RAT family started with an analysis of a\npreviously unknown remote shell-type Trojan that was intended to be executed by an elevation\nof privilege exploit. The sample which we analyzed was also uploaded to VT on August 10,\n2021. The sample is very big – 8.29MB. One of the reasons for the file size is that it’s\nstatically compiled with the OpenSSL library and contains unused code and data belonging to\nthat library. But the main reason for its size is the presence of two very large functions that do\nnothing but waste processor clock cycles. These functions also “use” randomly generated\nstrings that are also present in a binary.\nInformation Malpedia Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool MysterySnail RAT\nChanged Name Country Observed\nAPT groups\n IronHusky 2017-Aug 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=582092bf-4d53-40c0-bb80-c7c1508127b2\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=582092bf-4d53-40c0-bb80-c7c1508127b2\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=582092bf-4d53-40c0-bb80-c7c1508127b2\r\nPage 2 of 2\n\nAPT groups IronHusky 2017-Aug 2021 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=582092bf-4d53-40c0-bb80-c7c1508127b2" ], "report_names": [ "listgroups.cgi?u=582092bf-4d53-40c0-bb80-c7c1508127b2" ], "threat_actors": [ { "id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938", "created_at": "2023-11-08T02:00:07.135638Z", "updated_at": "2026-04-10T02:00:03.42332Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [], "source_name": "MISPGALAXY:IronHusky", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2caf4672-1812-4bb9-9576-6011e56102d2", "created_at": "2022-10-25T16:07:23.742765Z", "updated_at": "2026-04-10T02:00:04.733853Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [ "BBCY-TA1", "Operation MysterySnail" ], "source_name": "ETDA:IronHusky", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "MysterySnail", "MysterySnail RAT", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439048, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c832c46c4652d012d37337e21348aa41bc90deb1.pdf", "text": "https://archive.orkl.eu/c832c46c4652d012d37337e21348aa41bc90deb1.txt", "img": "https://archive.orkl.eu/c832c46c4652d012d37337e21348aa41bc90deb1.jpg" } }