{
	"id": "8717124b-f2d0-4997-8759-c166a1d7921c",
	"created_at": "2026-04-06T00:16:08.710401Z",
	"updated_at": "2026-04-10T03:33:18.421662Z",
	"deleted_at": null,
	"sha1_hash": "c93f6480c66a3bf7923a9269a1f4db54c8917a34",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53057,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:37:11 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PhantomNet\n Tool: PhantomNet\nNames\nPhantomNet\nSManager\nCategory Malware\nType Reconnaissance, Backdoor, Loader\nDescription\n(ESET) The backdoor was named Smanager_ssl.DLL by its developers but we use\nPhantomNet, as that was the project name used in an older version of this backdoor. This most\nrecent version was compiled on the 26th of April 2020, almost two months before the supply-chain attack. In addition to Vietnam, we have seen victims in the Philippines, but unfortunately\nwe did not uncover the delivery mechanism in those cases.\nThis backdoor is quite simple and most of the malicious capabilities are likely deployed\nthrough additional plugins. It can retrieve the victim’s proxy configuration and use it to reach\nout to the command and control (C\u0026C) server. This shows that the targets are likely to be\nworking in a corporate network.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool PhantomNet\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41b6f923-e7a8-4e88-bbea-1894be386ed4\nPage 1 of 2\n\nOperation SignSight [Unknown] 2020  \r\n  TA428 2013-Jan 2022  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41b6f923-e7a8-4e88-bbea-1894be386ed4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41b6f923-e7a8-4e88-bbea-1894be386ed4\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41b6f923-e7a8-4e88-bbea-1894be386ed4"
	],
	"report_names": [
		"listgroups.cgi?u=41b6f923-e7a8-4e88-bbea-1894be386ed4"
	],
	"threat_actors": [
		{
			"id": "bbdb2d7d-4bf4-4100-a108-f4742cfd69ff",
			"created_at": "2022-10-25T16:07:24.01101Z",
			"updated_at": "2026-04-10T02:00:04.836112Z",
			"deleted_at": null,
			"main_name": "Operation SignSight",
			"aliases": [],
			"source_name": "ETDA:Operation SignSight",
			"tools": [
				"Mimikatz",
				"PhantomNet",
				"SManager"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253",
			"created_at": "2022-10-25T16:07:24.277669Z",
			"updated_at": "2026-04-10T02:00:04.919609Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"Operation LagTime IT",
				"Operation StealthyTrident",
				"ThunderCats"
			],
			"source_name": "ETDA:TA428",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"Albaniiutas",
				"BlueTraveller",
				"Chymine",
				"Cotx RAT",
				"CoughingDown",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"LuckyBack",
				"PhantomNet",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"RoyalRoad",
				"SManager",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TManger",
				"TVT",
				"Thoper",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "20b5fa2f-2ef1-4e69-8275-25927a762f72",
			"created_at": "2025-08-07T02:03:24.573647Z",
			"updated_at": "2026-04-10T02:00:03.765721Z",
			"deleted_at": null,
			"main_name": "BRONZE DUDLEY",
			"aliases": [
				"TA428 ",
				"Temp.Hex ",
				"Vicious Panda "
			],
			"source_name": "Secureworks:BRONZE DUDLEY",
			"tools": [
				"NCCTrojan",
				"PhantomNet",
				"PoisonIvy",
				"Royal Road"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1",
			"created_at": "2023-01-06T13:46:39.042499Z",
			"updated_at": "2026-04-10T02:00:03.194713Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"BRONZE DUDLEY",
				"Colourful Panda"
			],
			"source_name": "MISPGALAXY:TA428",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434568,
	"ts_updated_at": 1775791998,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c93f6480c66a3bf7923a9269a1f4db54c8917a34.pdf",
		"text": "https://archive.orkl.eu/c93f6480c66a3bf7923a9269a1f4db54c8917a34.txt",
		"img": "https://archive.orkl.eu/c93f6480c66a3bf7923a9269a1f4db54c8917a34.jpg"
	}
}