{
	"id": "5e0df6f7-9c15-4db7-84e4-317fa9b30f94",
	"created_at": "2026-04-06T00:16:12.776925Z",
	"updated_at": "2026-04-10T03:28:12.995877Z",
	"deleted_at": null,
	"sha1_hash": "f7becd091cf1ecab340aff359d3e12fbfed18dc2",
	"title": "SSLove RAT - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51171,
	"plain_text": "SSLove RAT - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:24:01 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SSLove RAT\r\n Tool: SSLove RAT\r\nNames SSLove RAT\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(Qihoo 360) The main features of the Android sample in this attack are as follows:\r\n• Get contact\r\n• Get SMS\r\n• Get location\r\n• Get WhatsApp chathistory\r\n• Get call history\r\n• Get file list\r\n• Upload file\r\n• Get device information\r\n• Get account information\r\n• Take a photo\r\nIn the process of stealing privacy, SSlove RAT uses a remote SQL Server database to store\r\nstolen information such as contacts, text messages, location, WhatsApp chat records, and\r\nuploads images, audios, and other files to its FTP server.\r\nInformation \u003chttp://blogs.360.cn/post/SEA_role_influence_cyberattacks.html\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool SSLove RAT\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd4b91f1-bacf-484e-a03d-9f013a88f85f\r\nPage 1 of 2\n\n↳ Subgroup: Pat Bear, APT-C-37 2015  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd4b91f1-bacf-484e-a03d-9f013a88f85f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd4b91f1-bacf-484e-a03d-9f013a88f85f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd4b91f1-bacf-484e-a03d-9f013a88f85f"
	],
	"report_names": [
		"listgroups.cgi?u=fd4b91f1-bacf-484e-a03d-9f013a88f85f"
	],
	"threat_actors": [
		{
			"id": "0769c188-62ce-44ee-8e9d-1067f3d3c083",
			"created_at": "2022-10-25T16:07:24.259063Z",
			"updated_at": "2026-04-10T02:00:04.913621Z",
			"deleted_at": null,
			"main_name": "Pat Bear",
			"aliases": [
				"APT-C-37",
				"Pat Bear",
				"Racquet Bear"
			],
			"source_name": "ETDA:Pat Bear",
			"tools": [
				"Bladabindi",
				"CypherRat",
				"DroidJack",
				"H-Worm",
				"H-Worm RAT",
				"Houdini",
				"Houdini RAT",
				"Hworm",
				"Iniduoh",
				"Jenxcus",
				"Jorik",
				"Kognito",
				"Njw0rm",
				"SSLove RAT",
				"SpyNote",
				"SpyNote RAT",
				"WSHRAT",
				"dinihou",
				"dunihi",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434572,
	"ts_updated_at": 1775791692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7becd091cf1ecab340aff359d3e12fbfed18dc2.pdf",
		"text": "https://archive.orkl.eu/f7becd091cf1ecab340aff359d3e12fbfed18dc2.txt",
		"img": "https://archive.orkl.eu/f7becd091cf1ecab340aff359d3e12fbfed18dc2.jpg"
	}
}