{ "id": "20aea045-b51f-453e-a6a5-edca517e4094", "created_at": "2026-04-06T00:09:46.057349Z", "updated_at": "2026-04-10T03:37:58.717473Z", "deleted_at": null, "sha1_hash": "d294d3103f677665973df3c98bf458a365ab71e9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51245, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:18:03 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Comfoo\r\n Tool: Comfoo\r\nNames\r\nComfoo\r\nComfoo RAT\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Keylogger, Info stealer, Exfiltration\r\nDescription\r\n(SecureWorks) The Comfoo RAT has the following features:\r\n• System/network information gathering\r\n• Keystroke logging\r\n• Screenshots\r\n• File upload/download/execute\r\n• Command shell\r\nInformation \u003chttps://www.secureworks.com/research/secrets-of-the-comfoo-masters\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.comfoo\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Comfoo\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 17, Deputy Dog, Elderwood, Sneaky Panda 2009-Jun 2024  \r\n  Lucky Cat 2011  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c46d5fa4-33e9-4eb2-af78-8a09bc34e605\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c46d5fa4-33e9-4eb2-af78-8a09bc34e605\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c46d5fa4-33e9-4eb2-af78-8a09bc34e605\r\nPage 2 of 2\n\n APT 17, Deputy Lucky Cat Dog, Elderwood, Sneaky Panda 2009-Jun 2024 2011\n2 groups listed (2 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c46d5fa4-33e9-4eb2-af78-8a09bc34e605" ], "report_names": [ "listgroups.cgi?u=c46d5fa4-33e9-4eb2-af78-8a09bc34e605" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "9792e41f-4165-474b-99fa-e74ec332bd87", "created_at": "2023-01-06T13:46:38.986789Z", "updated_at": "2026-04-10T02:00:03.172308Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [ "TA413", "White Dev 9" ], "source_name": "MISPGALAXY:Lucky Cat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a651080-cb2f-49bb-87cb-b9c6f6f99ce9", "created_at": "2022-10-25T16:07:23.809467Z", "updated_at": "2026-04-10T02:00:04.756067Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [], "source_name": "ETDA:Lucky Cat", "tools": [ "Comfoo", "Comfoo RAT", "Lucky Cat", "LuckyCat", "Sojax", "Syndicasec", "WMI Ghost", "Wimmie" ], "source_id": "ETDA", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434186, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d294d3103f677665973df3c98bf458a365ab71e9.pdf", "text": "https://archive.orkl.eu/d294d3103f677665973df3c98bf458a365ab71e9.txt", "img": "https://archive.orkl.eu/d294d3103f677665973df3c98bf458a365ab71e9.jpg" } }