{
	"id": "d4b5996c-b7f0-4726-9803-fe0f41dc2948",
	"created_at": "2026-04-06T00:09:20.58864Z",
	"updated_at": "2026-04-10T13:12:27.083812Z",
	"deleted_at": null,
	"sha1_hash": "e57e37a28a5fbdd190dbc9a3dabf93e4e215f47d",
	"title": "Sakula RAT - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56549,
	"plain_text": "Sakula RAT - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:59:13 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Sakula RAT\n Tool: Sakula RAT\nNames\nSakula RAT\nSakula\nSakurel\nVIPER\nCategory Malware\nType Backdoor, Downloader, Exfiltration\nDescription\n(SecureWorks) Sakula uses HTTP GET and POST communication for command and\ncontrol (C2). Network communication is obfuscated with single-byte XOR encoding.\nSakula also leverages single-byte XOR encoding to obfuscate various strings and files\nembedded in the resource section, which are subsequently used for User Account\nControl (UAC) bypass on both 32 and 64-bit systems.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Sakula RAT\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60bcd6ad-2ac9-4ca8-82d2-54b200d0b098\nPage 1 of 2\n\nAPT groups\r\n  APT 31, Judgment Panda, Zirconium 2016-Mar 2024\r\n \r\nTurbine Panda, APT 26, Shell Crew, WebMasters, KungFu\r\nKittens\r\n2010-Oct 2018\r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60bcd6ad-2ac9-4ca8-82d2-54b200d0b098\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60bcd6ad-2ac9-4ca8-82d2-54b200d0b098\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=60bcd6ad-2ac9-4ca8-82d2-54b200d0b098"
	],
	"report_names": [
		"listgroups.cgi?u=60bcd6ad-2ac9-4ca8-82d2-54b200d0b098"
	],
	"threat_actors": [
		{
			"id": "3fad11c6-4336-4b28-a606-f510eca5452e",
			"created_at": "2022-10-25T16:07:24.346573Z",
			"updated_at": "2026-04-10T02:00:04.948823Z",
			"deleted_at": null,
			"main_name": "Turbine Panda",
			"aliases": [
				"APT 26",
				"Black Vine",
				"Bronze Express",
				"Group 13",
				"JerseyMikes",
				"KungFu Kittens",
				"PinkPanther",
				"Shell Crew",
				"Taffeta Typhoon",
				"Turbine Panda",
				"WebMasters"
			],
			"source_name": "ETDA:Turbine Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Hurix",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mivast",
				"PlugX",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"Sogu",
				"StreamEx",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"cobeacon",
				"ffrat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a080173e-7141-4d46-831d-a5f15ebef31a",
			"created_at": "2023-01-06T13:46:38.629955Z",
			"updated_at": "2026-04-10T02:00:03.044597Z",
			"deleted_at": null,
			"main_name": "APT26",
			"aliases": [
				"JerseyMikes",
				"TURBINE PANDA",
				"BRONZE EXPRESS",
				"TECHNETIUM",
				"Taffeta Typhoon"
			],
			"source_name": "MISPGALAXY:APT26",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "64ca1755-3883-4173-8e0a-6e5cf92faafd",
			"created_at": "2022-10-25T15:50:23.636456Z",
			"updated_at": "2026-04-10T02:00:05.389234Z",
			"deleted_at": null,
			"main_name": "Deep Panda",
			"aliases": [
				"Deep Panda",
				"Shell Crew",
				"KungFu Kittens",
				"PinkPanther",
				"Black Vine"
			],
			"source_name": "MITRE:Deep Panda",
			"tools": [
				"Mivast",
				"StreamEx",
				"Sakula",
				"Tasklist",
				"Derusbi"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434160,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e57e37a28a5fbdd190dbc9a3dabf93e4e215f47d.pdf",
		"text": "https://archive.orkl.eu/e57e37a28a5fbdd190dbc9a3dabf93e4e215f47d.txt",
		"img": "https://archive.orkl.eu/e57e37a28a5fbdd190dbc9a3dabf93e4e215f47d.jpg"
	}
}