{
	"id": "8ab7cd5d-7a7f-45c2-9be2-1d0e7168d3db",
	"created_at": "2026-04-06T00:22:27.345016Z",
	"updated_at": "2026-04-10T03:33:18.524787Z",
	"deleted_at": null,
	"sha1_hash": "eca9fec7bc6385423635addc981c4a08b274122b",
	"title": "Cotx RAT - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52817,
	"plain_text": "Cotx RAT - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 12:28:45 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cotx RAT\r\n Tool: Cotx RAT\r\nNames Cotx RAT\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Credential stealer\r\nDescription\r\n(Proofpoint) The RasTls.dll contains the Cotx RAT code. The malware is written in C++ using\r\nobject-oriented programming. We named it by borrowing the name of the location of its stored\r\nconfiguration. The encrypted configuration is stored in the side-loaded DLL file RasTls.dll in a\r\nPE section named “.cotx”. The current encrypted configuration is also stored in the registry\r\nkey “HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\Java\\user”.\r\nThe command and control structure of Cotx RAT is proxy aware. It utilizes wolfSSL for TLS\r\nencrypted communication. The initial beacon contains “|”-delimited system information. The\r\ndata included in the beacon is Zlib compressed and encrypted with AES-192 in CBC mode\r\nutilizing the same keys as the configuration. The following values are included:\r\n• 'id' value from 'software\\\\intel\\\\java' subkey\r\n• Computer name\r\n• 'mark' field from configuration\r\n• Username\r\n• Windows version\r\n• Architecture\r\n• Possible malware version. '0.9.7' is hardcoded in the analyzed sample\r\n• Local IP addresses\r\n• First adapter's MAC address\r\n• Connection type (https or _proxy)\r\n• 'password' field from configuration\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.cotx\u003e\r\nLast change to this tool card: 24 April 2021\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=071fed27-3361-4b37-a553-8e32c65482c8\r\nPage 1 of 2\n\nDownload this tool card in JSON format\r\nAll groups using tool Cotx RAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  TA428 2013-Jan 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=071fed27-3361-4b37-a553-8e32c65482c8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=071fed27-3361-4b37-a553-8e32c65482c8\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=071fed27-3361-4b37-a553-8e32c65482c8"
	],
	"report_names": [
		"listgroups.cgi?u=071fed27-3361-4b37-a553-8e32c65482c8"
	],
	"threat_actors": [
		{
			"id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253",
			"created_at": "2022-10-25T16:07:24.277669Z",
			"updated_at": "2026-04-10T02:00:04.919609Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"Operation LagTime IT",
				"Operation StealthyTrident",
				"ThunderCats"
			],
			"source_name": "ETDA:TA428",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"Albaniiutas",
				"BlueTraveller",
				"Chymine",
				"Cotx RAT",
				"CoughingDown",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"LuckyBack",
				"PhantomNet",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"RoyalRoad",
				"SManager",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TManger",
				"TVT",
				"Thoper",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "20b5fa2f-2ef1-4e69-8275-25927a762f72",
			"created_at": "2025-08-07T02:03:24.573647Z",
			"updated_at": "2026-04-10T02:00:03.765721Z",
			"deleted_at": null,
			"main_name": "BRONZE DUDLEY",
			"aliases": [
				"TA428 ",
				"Temp.Hex ",
				"Vicious Panda "
			],
			"source_name": "Secureworks:BRONZE DUDLEY",
			"tools": [
				"NCCTrojan",
				"PhantomNet",
				"PoisonIvy",
				"Royal Road"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1",
			"created_at": "2023-01-06T13:46:39.042499Z",
			"updated_at": "2026-04-10T02:00:03.194713Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"BRONZE DUDLEY",
				"Colourful Panda"
			],
			"source_name": "MISPGALAXY:TA428",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775791998,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eca9fec7bc6385423635addc981c4a08b274122b.pdf",
		"text": "https://archive.orkl.eu/eca9fec7bc6385423635addc981c4a08b274122b.txt",
		"img": "https://archive.orkl.eu/eca9fec7bc6385423635addc981c4a08b274122b.jpg"
	}
}