{
	"id": "523b608d-a55c-476f-ba3c-75ee424ef397",
	"created_at": "2026-04-06T00:13:38.372659Z",
	"updated_at": "2026-04-10T03:33:18.418814Z",
	"deleted_at": null,
	"sha1_hash": "e08e31a8b751ae55855843963cb5db466ee9f49d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57092,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:19:45 UTC\n APT group: Worok\nNames Worok (ESET)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2020\nDescription\n(ESET) ESET researchers recently found targeted attacks that used undocumented tools\nagainst various high-profile companies and local governments mostly in Asia. These attacks\nwere conducted by a previously unknown espionage group that we have named Worok and\nthat has been active since at least 2020. Worok’s toolset includes a C++ loader CLRLoad, a\nPowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to\nextract hidden malicious payloads from PNG files.\nActivity times and toolset indicate possible ties with TA428, but we make this assessment with\nlow confidence.\nObserved\nSectors: Energy, Financial, Government, Telecommunications.\nCountries: Botswana, Cambodia, China, Indonesia, Iran, Iraq, Japan, Kazakhstan, Kyrgyzstan,\nLaos, Lebanon, Malaysia, Mongolia, Myanmar, Namibia, North Korea, Oman, Philippines,\nSaudi Arabia, Singapore, South Africa, South Korea, Syria, Tajikistan, Thailand, Turkey,\nTurkmenistan, UAE, Uzbekistan, Vietnam, Yemen.\nTools used CLRLoad, EarthWorm, Mimikatz, nbtscan, PNGLoad, PowHeartBeat, reGeorg.\nInformation Last change to this card: 13 September 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=588255b4-4acf-45b0-a644-83bce3590e58\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=588255b4-4acf-45b0-a644-83bce3590e58\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=588255b4-4acf-45b0-a644-83bce3590e58"
	],
	"report_names": [
		"showcard.cgi?u=588255b4-4acf-45b0-a644-83bce3590e58"
	],
	"threat_actors": [
		{
			"id": "a7e5d6c0-5f7e-4d1c-87fa-bbf65b4e65b9",
			"created_at": "2022-10-25T16:07:24.42571Z",
			"updated_at": "2026-04-10T02:00:04.984213Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "ETDA:Worok",
			"tools": [
				"CLRLoad",
				"Mimikatz",
				"NBTscan",
				"PNGLoad",
				"PowHeartBeat",
				"SAMRID",
				"nbtscan",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e294737b-6aa7-480e-841d-cbed102c356c",
			"created_at": "2023-07-20T02:00:08.787855Z",
			"updated_at": "2026-04-10T02:00:03.368575Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "MISPGALAXY:Worok",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253",
			"created_at": "2022-10-25T16:07:24.277669Z",
			"updated_at": "2026-04-10T02:00:04.919609Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"Operation LagTime IT",
				"Operation StealthyTrident",
				"ThunderCats"
			],
			"source_name": "ETDA:TA428",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"Albaniiutas",
				"BlueTraveller",
				"Chymine",
				"Cotx RAT",
				"CoughingDown",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"LuckyBack",
				"PhantomNet",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"RoyalRoad",
				"SManager",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TManger",
				"TVT",
				"Thoper",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "20b5fa2f-2ef1-4e69-8275-25927a762f72",
			"created_at": "2025-08-07T02:03:24.573647Z",
			"updated_at": "2026-04-10T02:00:03.765721Z",
			"deleted_at": null,
			"main_name": "BRONZE DUDLEY",
			"aliases": [
				"TA428 ",
				"Temp.Hex ",
				"Vicious Panda "
			],
			"source_name": "Secureworks:BRONZE DUDLEY",
			"tools": [
				"NCCTrojan",
				"PhantomNet",
				"PoisonIvy",
				"Royal Road"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1",
			"created_at": "2023-01-06T13:46:39.042499Z",
			"updated_at": "2026-04-10T02:00:03.194713Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"BRONZE DUDLEY",
				"Colourful Panda"
			],
			"source_name": "MISPGALAXY:TA428",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434418,
	"ts_updated_at": 1775791998,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e08e31a8b751ae55855843963cb5db466ee9f49d.pdf",
		"text": "https://archive.orkl.eu/e08e31a8b751ae55855843963cb5db466ee9f49d.txt",
		"img": "https://archive.orkl.eu/e08e31a8b751ae55855843963cb5db466ee9f49d.jpg"
	}
}