{ "id": "914d4e10-ead8-4cbf-ba52-0c970d6032d4", "created_at": "2026-04-06T00:19:54.091016Z", "updated_at": "2026-04-10T03:37:54.309201Z", "deleted_at": null, "sha1_hash": "f9a10ccffd78666bad5434a4e256a370a5f62a16", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54648, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:26:33 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DoubleAgent\n Tool: DoubleAgent\nNames DoubleAgent\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(Lookout) In 2013 Citizen Lab reported on a compromised version of KakaoTalk, which\nhad been used to target a prominent individual in the Tibetan community. This app was\nthe first publicly exposed sample of a malware family called DoubleAgent. When\nLookout initially investigated DoubleAgent in 2015, it was already an advanced Android\nremote access tool (RAT). Early versions of this family trojanized apps such as Voxer\nand TalkBox, as well as Amaq News, the official Daesh news application. The extent of\nthis malware family and its connections to other campaigns has not been publicly\nreported on until now. Lookout researchers have seen DoubleAgent used exclusively\nagainst groups with contentious relationships with the Chinese government.\nAlthough Lookout has been tracking this malware family for many years, new samples\ndiscovered in the last year indicated that the actors behind DoubleAgent were continuing\nto evolve the surveillanceware and use new infrastructure. However, they maintained the\nsame targeting, as well as several key malware characteristics, such as similar\ndecryption keys for configuration files.\nThese recent samples, discovered in late 2019, are the focus of this section on\nDoubleAgent. A decryption of the configuration files from these samples revealed a\ndirect overlap in C2 infrastructure between the operators of DoubleAgent and SilkBean\nat a time when both malware families appeared to be active.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=70767fb4-c613-4566-837f-81dc2e9d5ece\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:DoubleAgent\u003e\r\nLast change to this tool card: 30 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool DoubleAgent\r\nChanged Name Country Observed\r\nAPT groups\r\n  Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon 2010-Oct 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=70767fb4-c613-4566-837f-81dc2e9d5ece\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=70767fb4-c613-4566-837f-81dc2e9d5ece\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=70767fb4-c613-4566-837f-81dc2e9d5ece" ], "report_names": [ "listgroups.cgi?u=70767fb4-c613-4566-837f-81dc2e9d5ece" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9a10ccffd78666bad5434a4e256a370a5f62a16.pdf", "text": "https://archive.orkl.eu/f9a10ccffd78666bad5434a4e256a370a5f62a16.txt", "img": "https://archive.orkl.eu/f9a10ccffd78666bad5434a4e256a370a5f62a16.jpg" } }