{ "id": "d012e01c-5644-4617-ad33-b94d4b22b438", "created_at": "2026-04-06T00:12:22.726126Z", "updated_at": "2026-04-10T03:31:19.577988Z", "deleted_at": null, "sha1_hash": "e1cddba8d438cbad0ba92807228b84aa8a6854eb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52439, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 10:53:58 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool COATHANGER\r\n Tool: COATHANGER\r\nNames COATHANGER\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(MIVD) The COATHANGER malware provides access to compromised FortiGate\r\ndevices after installation. The implant connects back periodically to a Command \u0026\r\nControl server over SSL, providing a BusyBox reverse shell.\r\nNotably, the COATHANGER implant is persistent, recovering after every reboot by\r\ninjecting a backup of itself in the process responsible for rebooting the system.\r\nMoreover, the infection survives firmware upgrades. Even fully patched FortiGate\r\ndevices may therefore be infected, if they were compromised before the latest patch was\r\napplied.\r\nFurthermore, COATHANGER is stealthy: it is hard to detect using default FortiGate\r\nCLI commands, because it hides itself by hooking most system calls that could reveal its\r\npresence, such as stat and opendir. It does so by replacing them for any process that is\r\nforced to load preload.so.\r\nNote that COATHANGER is distinct from BOLDMOVE, another RAT targeting\r\nFortiGate devices.\r\nInformation\r\n\u003chttps://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1105\u003e\r\nLast change to this tool card: 19 June 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool COATHANGER\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afab8ba9-b296-4bcd-a5c4-986b185b768b\r\nPage 1 of 2\n\nAPT groups\r\n  [Unnamed groups: China] 2018-Mar 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afab8ba9-b296-4bcd-a5c4-986b185b768b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afab8ba9-b296-4bcd-a5c4-986b185b768b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afab8ba9-b296-4bcd-a5c4-986b185b768b" ], "report_names": [ "listgroups.cgi?u=afab8ba9-b296-4bcd-a5c4-986b185b768b" ], "threat_actors": [ { "id": "1b2e4010-c5ff-4866-9b32-5265e900d379", "created_at": "2024-03-11T02:02:37.083942Z", "updated_at": "2026-04-10T02:00:04.988898Z", "deleted_at": null, "main_name": "[Unnamed groups: China]", "aliases": [], "source_name": "ETDA:[Unnamed groups: China]", "tools": [ "COATHANGER" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434342, "ts_updated_at": 1775791879, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1cddba8d438cbad0ba92807228b84aa8a6854eb.pdf", "text": "https://archive.orkl.eu/e1cddba8d438cbad0ba92807228b84aa8a6854eb.txt", "img": "https://archive.orkl.eu/e1cddba8d438cbad0ba92807228b84aa8a6854eb.jpg" } }