{ "id": "40f6eb2c-c7d8-4629-b640-de661653e63b", "created_at": "2026-04-06T00:13:43.015387Z", "updated_at": "2026-04-10T13:11:48.016741Z", "deleted_at": null, "sha1_hash": "eefa2fe9c4d452fa750e42bc3abf08eeb84bd59f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48695, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:14:34 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Reshell\n Tool: Reshell\nNames Reshell\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) Following the creation of the users and the reconnaissance activity, the attackers\nattempted to execute a previously undocumented .NET backdoor, which they named\nwindows.exe. We named this threat Reshell based on its program database (PDB) path.\nInformation Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool Reshell\nChanged Name Country Observed\nAPT groups\n Earth Krahang 2022\n Gallium 2018-Jun 2022\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=695b8976-7390-45ec-a406-b8a01202bf8b\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=695b8976-7390-45ec-a406-b8a01202bf8b\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=695b8976-7390-45ec-a406-b8a01202bf8b" ], "report_names": [ "listgroups.cgi?u=695b8976-7390-45ec-a406-b8a01202bf8b" ], "threat_actors": [ { "id": "d5451198-ac6b-40af-b8ef-1afb549c2dc8", "created_at": "2024-03-21T02:00:04.728286Z", "updated_at": "2026-04-10T02:00:03.60345Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "MISPGALAXY:Earth Krahang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "f86ac24d-0aef-425c-8087-c0dd270060b9", "created_at": "2024-04-24T02:02:07.638437Z", "updated_at": "2026-04-10T02:00:04.663683Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "ETDA:Earth Krahang", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "DinodasRAT", "Kaba", "Korplug", "POISONPLUG.SHADOW", "PlugX", "RedDelta", "Reshell", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XDealer", "XShellGhost", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434423, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eefa2fe9c4d452fa750e42bc3abf08eeb84bd59f.pdf", "text": "https://archive.orkl.eu/eefa2fe9c4d452fa750e42bc3abf08eeb84bd59f.txt", "img": "https://archive.orkl.eu/eefa2fe9c4d452fa750e42bc3abf08eeb84bd59f.jpg" } }