{ "id": "b4295e33-0f16-477f-be57-ee10428da77f", "created_at": "2026-04-06T00:07:25.016292Z", "updated_at": "2026-04-10T03:36:48.401248Z", "deleted_at": null, "sha1_hash": "deeed1a1420d866df464cba6dfdccbde62fc884b", "title": "BIOPASS RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51360, "plain_text": "BIOPASS RAT - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-02 10:38:02 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BIOPASS RAT\r\n Tool: BIOPASS RAT\r\nNames\r\nBIOPASS RAT\r\nBIOPASS\r\nCategory Malware\r\nType Backdoor, Info stealer, Credential stealer, Downloader, Exfiltration\r\nDescription\r\n(Trend Micro) BIOPASS RAT possesses basic features found in other malware, such as file\r\nsystem assessment, remote desktop access, file exfiltration, and shell command execution. It\r\nalso has the ability to compromise the private information of its victims by stealing web\r\nbrowser and instant messaging client data.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.biopass\u003e\r\nLast change to this tool card: 28 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool BIOPASS RAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Earth Lusca 2019-Sep 2024  \r\n  RedHotel, TAG-22 2021-2022  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b44e58c-ab32-4547-9cc1-a67e15fcecac\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b44e58c-ab32-4547-9cc1-a67e15fcecac\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b44e58c-ab32-4547-9cc1-a67e15fcecac\r\nPage 2 of 2\n\n Earth Lusca RedHotel, TAG-22 2019-Sep 2024 2021-2022 \n2 groups listed (2 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9b44e58c-ab32-4547-9cc1-a67e15fcecac" ], "report_names": [ "listgroups.cgi?u=9b44e58c-ab32-4547-9cc1-a67e15fcecac" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434045, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/deeed1a1420d866df464cba6dfdccbde62fc884b.pdf", "text": "https://archive.orkl.eu/deeed1a1420d866df464cba6dfdccbde62fc884b.txt", "img": "https://archive.orkl.eu/deeed1a1420d866df464cba6dfdccbde62fc884b.jpg" } }