{
	"id": "9426da0f-1e07-4899-8672-81dc9fa9fd13",
	"created_at": "2026-04-06T00:07:39.42119Z",
	"updated_at": "2026-04-10T03:36:50.176409Z",
	"deleted_at": null,
	"sha1_hash": "cecf1319c3e187085681944aa272fef84ae662f9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50773,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:55:50 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ElizaRAT\n Tool: ElizaRAT\nNames ElizaRAT\nCategory Malware\nType Backdoor\nDescription\n(Check Point) ElizaRAT, a Windows Remote Access Tool disclosed in September 2023, is\nemployed by Transparent Tribe in targeted attacks. Infections typically start via executable\nfiles shared through Google Storage links, likely due to phishing efforts. Earlier variants relied\non Telegram for Command and Control (C2) communication. Since its initial detection,\nElizaRAT has evolved in execution methods, detection evasion, and C2 communication, as\ndemonstrated in three distinct campaigns from late 2023 to early 2024. Each campaign utilized\na different variant of ElizaRAT to deploy specific payloads for automated information\ngathering.\nInformation Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool ElizaRAT\nChanged Name Country Observed\nAPT groups\n Transparent Tribe, APT 36 2013-Mar 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=99c550ef-5f9a-49e5-b4d1-f05d18c4cc9f\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=99c550ef-5f9a-49e5-b4d1-f05d18c4cc9f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=99c550ef-5f9a-49e5-b4d1-f05d18c4cc9f\r\nPage 2 of 2\n\nAPT groups Transparent Tribe, APT 36 2013-Mar 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=99c550ef-5f9a-49e5-b4d1-f05d18c4cc9f"
	],
	"report_names": [
		"listgroups.cgi?u=99c550ef-5f9a-49e5-b4d1-f05d18c4cc9f"
	],
	"threat_actors": [
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434059,
	"ts_updated_at": 1775792210,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cecf1319c3e187085681944aa272fef84ae662f9.pdf",
		"text": "https://archive.orkl.eu/cecf1319c3e187085681944aa272fef84ae662f9.txt",
		"img": "https://archive.orkl.eu/cecf1319c3e187085681944aa272fef84ae662f9.jpg"
	}
}