{
	"id": "b3602e0e-d31e-4bd1-b187-0f3b4740b1e0",
	"created_at": "2026-04-06T00:09:52.079637Z",
	"updated_at": "2026-04-10T13:11:26.102343Z",
	"deleted_at": null,
	"sha1_hash": "e27752ff628a883143557b8faff9ebc4f22a286d",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51727,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:38:14 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Nightdoor\n Tool: Nightdoor\nNames\nNightdoor\nNetMM\nSuzafk\nCategory Malware\nType Backdoor\nDescription\n(ESET) The backdoor that we have named Nightdoor (and is named NetMM by the\nmalware authors according to PDB paths) is a late addition to Evasive Panda’s toolset.\nOur earliest knowledge of Nightdoor goes back to 2020, when Evasive Panda deployed\nit onto a machine of a high-profile target in Vietnam. The backdoor communicates with\nits C\u0026C server via UDP or the Google Drive API. The Nightdoor implant from this\ncampaign used the latter. It encrypts a Google API OAuth 2.0 token within the data\nsection and uses the token to access the attacker’s Google Drive. We have requested that\nthe Google account associated with this token be taken down.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool Nightdoor\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a3efa0-ab8e-4404-8416-f2629a7026e3\nPage 1 of 2\n\nAPT groups\r\n  Bronze Highland 2012-Jul 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a3efa0-ab8e-4404-8416-f2629a7026e3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a3efa0-ab8e-4404-8416-f2629a7026e3\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=43a3efa0-ab8e-4404-8416-f2629a7026e3"
	],
	"report_names": [
		"listgroups.cgi?u=43a3efa0-ab8e-4404-8416-f2629a7026e3"
	],
	"threat_actors": [
		{
			"id": "f35997d9-ca1e-453f-b968-0e675cc16d97",
			"created_at": "2023-01-06T13:46:39.490819Z",
			"updated_at": "2026-04-10T02:00:03.345364Z",
			"deleted_at": null,
			"main_name": "Evasive Panda",
			"aliases": [
				"BRONZE HIGHLAND"
			],
			"source_name": "MISPGALAXY:Evasive Panda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a",
			"created_at": "2024-11-01T02:00:52.763555Z",
			"updated_at": "2026-04-10T02:00:05.263997Z",
			"deleted_at": null,
			"main_name": "Daggerfly",
			"aliases": [
				"Daggerfly",
				"Evasive Panda",
				"BRONZE HIGHLAND"
			],
			"source_name": "MITRE:Daggerfly",
			"tools": [
				"PlugX",
				"MgBot",
				"BITSAdmin",
				"MacMa",
				"Nightdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7",
			"created_at": "2023-01-06T13:46:39.413725Z",
			"updated_at": "2026-04-10T02:00:03.31882Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Evasive Panda",
				"Daggerfly"
			],
			"source_name": "MISPGALAXY:BRONZE HIGHLAND",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7",
			"created_at": "2022-10-25T16:07:23.422755Z",
			"updated_at": "2026-04-10T02:00:04.592069Z",
			"deleted_at": null,
			"main_name": "Bronze Highland",
			"aliases": [
				"Daggerfly",
				"Digging Taurus",
				"Evasive Panda",
				"Storm Cloud",
				"StormBamboo",
				"TAG-102",
				"TAG-112"
			],
			"source_name": "ETDA:Bronze Highland",
			"tools": [
				"Agentemis",
				"CDDS",
				"CloudScout",
				"Cobalt Strike",
				"CobaltStrike",
				"DazzleSpy",
				"KsRemote",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MacMa",
				"Macma",
				"MgBot",
				"Mgmbot",
				"NetMM",
				"Nightdoor",
				"OSX.CDDS",
				"POCOSTICK",
				"RELOADEXT",
				"Suzafk",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f7d2815-7504-4818-bf8d-bba18161b111",
			"created_at": "2025-08-07T02:03:24.613342Z",
			"updated_at": "2026-04-10T02:00:03.732192Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Daggerfly",
				"Daggerfly ",
				"Evasive Panda ",
				"Evasive Panda ",
				"Storm Bamboo "
			],
			"source_name": "Secureworks:BRONZE HIGHLAND",
			"tools": [
				"Cobalt Strike",
				"KsRemote",
				"Macma",
				"MgBot",
				"Nightdoor",
				"PlugX"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434192,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e27752ff628a883143557b8faff9ebc4f22a286d.pdf",
		"text": "https://archive.orkl.eu/e27752ff628a883143557b8faff9ebc4f22a286d.txt",
		"img": "https://archive.orkl.eu/e27752ff628a883143557b8faff9ebc4f22a286d.jpg"
	}
}