{
	"id": "04f9ba53-b7b4-40f3-9d6a-1b86778435c2",
	"created_at": "2026-04-06T00:11:36.189918Z",
	"updated_at": "2026-04-10T03:32:34.666256Z",
	"deleted_at": null,
	"sha1_hash": "e855fc20eda7dc0bb3451a8b74f1e2050d86bef9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49487,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 11:40:28 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Pylot\n Tool: Pylot\nNames\nPylot\nTravle\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Carbon Black) The Pylot (or Travle) malware family appears to be an evolution of the\nNetTraveler malware family (which has been linked to attackers out of China by\nnumerous sources). Over the last year a variant has been observed as a secondary payload\noften used in conjunction with malicious carrier files (typically MS Office or Rich Text\nFormat (RTF) documents).\nThe Pylot malware has been observed being installed via shellcode from known CVEs in\nOffice products as well as by malware loaders (or first stage malware variants,\nspecifically the CMStar malware family). In late 2017 samples of the Pylot family were\nsubmitted, by customers, to the Carbon Black Threat Analysis Unit (TAU) as part of\nongoing investigation.\nInformation AlienVault OTX Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool Pylot\nChanged Name Country Observed\nAPT groups\n Vicious Panda 2015-Mar 2020\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f5e66c69-d62f-41cd-88da-fbe2d53d1dd3\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f5e66c69-d62f-41cd-88da-fbe2d53d1dd3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f5e66c69-d62f-41cd-88da-fbe2d53d1dd3\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f5e66c69-d62f-41cd-88da-fbe2d53d1dd3"
	],
	"report_names": [
		"listgroups.cgi?u=f5e66c69-d62f-41cd-88da-fbe2d53d1dd3"
	],
	"threat_actors": [
		{
			"id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680",
			"created_at": "2022-10-25T16:07:23.899157Z",
			"updated_at": "2026-04-10T02:00:04.782542Z",
			"deleted_at": null,
			"main_name": "NetTraveler",
			"aliases": [
				"APT 21",
				"Hammer Panda",
				"NetTraveler",
				"TEMP.Zhenbao"
			],
			"source_name": "ETDA:NetTraveler",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"Kaba",
				"Korplug",
				"NetTraveler",
				"Netfile",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"TravNet",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5c5d5d4-3969-4e34-9982-55144c3908eb",
			"created_at": "2022-10-25T16:07:24.37846Z",
			"updated_at": "2026-04-10T02:00:04.965506Z",
			"deleted_at": null,
			"main_name": "Vicious Panda",
			"aliases": [
				"Bronze Dudley"
			],
			"source_name": "ETDA:Vicious Panda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"BBSRAT",
				"Byeby",
				"Cmstar",
				"Enfal",
				"Lurid",
				"Pylot",
				"RoyalRoad",
				"Travle",
				"meciv"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e79c98d-c678-4f28-b869-5723a78e71f4",
			"created_at": "2023-01-06T13:46:39.422441Z",
			"updated_at": "2026-04-10T02:00:03.322083Z",
			"deleted_at": null,
			"main_name": "Vicious Panda",
			"aliases": [
				"SixLittleMonkeys"
			],
			"source_name": "MISPGALAXY:Vicious Panda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20b5fa2f-2ef1-4e69-8275-25927a762f72",
			"created_at": "2025-08-07T02:03:24.573647Z",
			"updated_at": "2026-04-10T02:00:03.765721Z",
			"deleted_at": null,
			"main_name": "BRONZE DUDLEY",
			"aliases": [
				"TA428 ",
				"Temp.Hex ",
				"Vicious Panda "
			],
			"source_name": "Secureworks:BRONZE DUDLEY",
			"tools": [
				"NCCTrojan",
				"PhantomNet",
				"PoisonIvy",
				"Royal Road"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "254f2fab-5834-4d90-9205-d80e63d6d867",
			"created_at": "2023-01-06T13:46:38.31544Z",
			"updated_at": "2026-04-10T02:00:02.924166Z",
			"deleted_at": null,
			"main_name": "APT21",
			"aliases": [
				"HAMMER PANDA",
				"TEMP.Zhenbao",
				"NetTraveler"
			],
			"source_name": "MISPGALAXY:APT21",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434296,
	"ts_updated_at": 1775791954,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e855fc20eda7dc0bb3451a8b74f1e2050d86bef9.pdf",
		"text": "https://archive.orkl.eu/e855fc20eda7dc0bb3451a8b74f1e2050d86bef9.txt",
		"img": "https://archive.orkl.eu/e855fc20eda7dc0bb3451a8b74f1e2050d86bef9.jpg"
	}
}