{ "id": "71e493f0-dc3c-4be5-b404-e83ca1f0314d", "created_at": "2026-04-06T00:06:38.489687Z", "updated_at": "2026-04-10T13:12:12.592285Z", "deleted_at": null, "sha1_hash": "f110b10203e8d99e3261dfc667a93cf49d2283a2", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50112, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:16:39 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NFlog\r\n Tool: NFlog\r\nNames NFlog\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(FireEye) We have observed DragonOK and Moafee use the Nflog implant in addition to\r\nan earlier version of the NewCT2 implant. The password-protected XLS document (46ac-122183c32858581e95ef40bd31b3) referenced earlier also drops an “Nflog” implant\r\n(a3d3b0686e7bd13293ad0e63ebec67af).\r\nInformation\r\n\u003chttps://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:nflog\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool NFlog\r\nChanged Name Country Observed\r\nAPT groups\r\n  DragonOK 2015-Jan 2017  \r\n  Moafee 2014  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d84c0e21-a3e4-4324-9065-c4f485c83bed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d84c0e21-a3e4-4324-9065-c4f485c83bed\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d84c0e21-a3e4-4324-9065-c4f485c83bed" ], "report_names": [ "listgroups.cgi?u=d84c0e21-a3e4-4324-9065-c4f485c83bed" ], "threat_actors": [ { "id": "d7226f71-df4a-405e-9252-f8c4108303ae", "created_at": "2022-10-25T15:50:23.325171Z", "updated_at": "2026-04-10T02:00:05.413071Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "Moafee" ], "source_name": "MITRE:Moafee", "tools": [ "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "c3c08eb0-cced-43ab-b126-fbe0c39a0698", "created_at": "2022-10-25T16:07:23.872885Z", "updated_at": "2026-04-10T02:00:04.767193Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "G0002" ], "source_name": "ETDA:Moafee", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "Mongall", "NFlog", "NewCT2", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433998, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f110b10203e8d99e3261dfc667a93cf49d2283a2.pdf", "text": "https://archive.orkl.eu/f110b10203e8d99e3261dfc667a93cf49d2283a2.txt", "img": "https://archive.orkl.eu/f110b10203e8d99e3261dfc667a93cf49d2283a2.jpg" } }