{ "id": "92c3a0c6-511e-4559-a2c0-e091a14e807f", "created_at": "2026-04-06T01:30:05.708041Z", "updated_at": "2026-04-10T13:12:06.473659Z", "deleted_at": null, "sha1_hash": "ccbc05a13dec7cf65f892213584e4d4630f2b9d7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48476, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:33:24 UTC\n APT group: RATicate\nNames RATicate (Sophos)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2019\nDescription\n(Sophos) In a series of malspam campaigns dating back to November of 2019, an unidentified\ngroup sent out waves of installers that drop remote administration tool (RAT) and information\nstealing malware on victims’ computers.\nWe’ve identified five separate campaigns between November, 2019 and January, 2020 in\nwhich the payloads used similar packing code and pointed to the same command and control\n(C\u0026C) infrastructure. The campaigns targeted industrial companies in Europe, the Middle\nEast, and the Republic of Korea. This leads us to believe that they are all the work of the same\nactors—a group we’ve dubbed RATicate.\nA new campaign we believe connected to the same actors leverages concern about the global\nCOVID-19 pandemic to convince victims to open the payloads. This is a shift in tactics, but\nwe suspect that this group constantly changes the way they deploy malware—and that the\ngroup has conducted campaigns prior to this past November.\nObserved\nSectors: Industrial, Manufacturing, Media, Telecommunications.\nCountries: Romania, Japan, Kuwait, South Korea, Switzerland, UK and Europe and Middle\nEast.\nTools used\nAgent Tesla, BetaBot, BlackRAT, Formbook, GuLoader, LokiBot, NetWire RC, njRAT, NSIS,\nRemcosRAT.\nInformation\nLast change to this card: 15 July 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=30e5ac74-bfff-470f-ba68-a9f34ea7c57b\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=30e5ac74-bfff-470f-ba68-a9f34ea7c57b\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=30e5ac74-bfff-470f-ba68-a9f34ea7c57b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=30e5ac74-bfff-470f-ba68-a9f34ea7c57b" ], "report_names": [ "showcard.cgi?u=30e5ac74-bfff-470f-ba68-a9f34ea7c57b" ], "threat_actors": [ { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439005, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccbc05a13dec7cf65f892213584e4d4630f2b9d7.pdf", "text": "https://archive.orkl.eu/ccbc05a13dec7cf65f892213584e4d4630f2b9d7.txt", "img": "https://archive.orkl.eu/ccbc05a13dec7cf65f892213584e4d4630f2b9d7.jpg" } }