{ "id": "a4c0aa0a-d850-4f31-8260-1e2ac99eec61", "created_at": "2026-04-06T00:17:42.618818Z", "updated_at": "2026-04-10T13:12:25.517128Z", "deleted_at": null, "sha1_hash": "f65e8aff8b6867dd81d237c4fb04e3756b24541b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56042, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:01:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ObliqueRAT\n Tool: ObliqueRAT\nNames\nObliqueRAT\nOblique RAT\nCategory Malware\nType Reconnaissance, Backdoor, Dropper, Exfiltration\nDescription\n(Talos) Cisco Talos has recently discovered a new campaign distributing a malicious\nremote access trojan (RAT) family we're calling 'ObliqueRAT.' Cisco Talos also\ndiscovered a link between ObliqueRAT and another campaign from December 2019\ndistributing Crimson RAT sharing similar maldocs and macros. CrimsonRAT has been\nknown to target diplomatic and government organizations in Southeast Asia.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool ObliqueRAT\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4cd8fd56-3b1e-4e12-90b1-9dd8c4b84793\nPage 1 of 2\n\nTransparent Tribe, APT 36 2013-Mar 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4cd8fd56-3b1e-4e12-90b1-9dd8c4b84793\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4cd8fd56-3b1e-4e12-90b1-9dd8c4b84793\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4cd8fd56-3b1e-4e12-90b1-9dd8c4b84793" ], "report_names": [ "listgroups.cgi?u=4cd8fd56-3b1e-4e12-90b1-9dd8c4b84793" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434662, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f65e8aff8b6867dd81d237c4fb04e3756b24541b.pdf", "text": "https://archive.orkl.eu/f65e8aff8b6867dd81d237c4fb04e3756b24541b.txt", "img": "https://archive.orkl.eu/f65e8aff8b6867dd81d237c4fb04e3756b24541b.jpg" } }