{
	"id": "b057543e-13cd-459d-9f6d-0e238a5e8d84",
	"created_at": "2026-04-06T00:15:34.203413Z",
	"updated_at": "2026-04-10T03:38:03.417579Z",
	"deleted_at": null,
	"sha1_hash": "faeb16955c98ff805b693c7f7328f17ef5d822bc",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45639,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:49:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Scote\n Tool: Scote\nNames Scote\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) Scote provides backdoor access for an attacker and we have observed it collecting\ncommand and control (C2) information from Pastebin links as well as Google+ profiles. The\nbit.ly links obscured the C2 URLs so victims could not evaluate the legitimacy of the final site\nprior to clicking it. We are calling their recent activity the “TopHat” campaign.\nInformation\nMalpedia Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool Scote\nChanged Name Country Observed\nAPT groups\n Molerats, Extreme Jackal, Gaza Cybergang [Gaza] 2012-Jul 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ae5cbd47-3d42-4be3-b895-0179bc7add56\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ae5cbd47-3d42-4be3-b895-0179bc7add56\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ae5cbd47-3d42-4be3-b895-0179bc7add56"
	],
	"report_names": [
		"listgroups.cgi?u=ae5cbd47-3d42-4be3-b895-0179bc7add56"
	],
	"threat_actors": [
		{
			"id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f",
			"created_at": "2022-10-25T15:50:23.756782Z",
			"updated_at": "2026-04-10T02:00:05.324924Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"Molerats",
				"Operation Molerats",
				"Gaza Cybergang"
			],
			"source_name": "MITRE:Molerats",
			"tools": [
				"MoleNet",
				"DustySky",
				"DropBook",
				"SharpStage",
				"PoisonIvy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c",
			"created_at": "2023-01-06T13:46:38.508262Z",
			"updated_at": "2026-04-10T02:00:03.006018Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"Gaza Cybergang",
				"Operation Molerats",
				"Extreme Jackal",
				"ALUMINUM SARATOGA",
				"G0021",
				"BLACKSTEM",
				"Gaza Hackers Team",
				"Gaza cybergang"
			],
			"source_name": "MISPGALAXY:Molerats",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4",
			"created_at": "2022-10-25T16:07:23.875541Z",
			"updated_at": "2026-04-10T02:00:04.768142Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"ATK 89",
				"Aluminum Saratoga",
				"Extreme Jackal",
				"G0021",
				"Gaza Cybergang",
				"Gaza Hackers Team",
				"Molerats",
				"Operation DustySky",
				"Operation DustySky Part 2",
				"Operation Molerats",
				"Operation Moonlight",
				"Operation SneakyPastes",
				"Operation TopHat",
				"TA402",
				"TAG-CT5"
			],
			"source_name": "ETDA:Molerats",
			"tools": [
				"BadPatch",
				"Bladabindi",
				"BrittleBush",
				"Chymine",
				"CinaRAT",
				"Darkmoon",
				"Downeks",
				"DropBook",
				"DustySky",
				"ExtRat",
				"Gen:Trojan.Heur.PT",
				"H-Worm",
				"H-Worm RAT",
				"Houdini",
				"Houdini RAT",
				"Hworm",
				"Iniduoh",
				"IronWind",
				"Jenxcus",
				"JhoneRAT",
				"Jorik",
				"KasperAgent",
				"Kognito",
				"LastConn",
				"Micropsia",
				"MoleNet",
				"Molerat Loader",
				"NeD Worm",
				"NimbleMamba",
				"Njw0rm",
				"Pierogi",
				"Poison Ivy",
				"Quasar RAT",
				"QuasarRAT",
				"SPIVY",
				"Scote",
				"SharpSploit",
				"SharpStage",
				"WSHRAT",
				"WelcomeChat",
				"Xtreme RAT",
				"XtremeRAT",
				"Yggdrasil",
				"dinihou",
				"dunihi",
				"njRAT",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434534,
	"ts_updated_at": 1775792283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/faeb16955c98ff805b693c7f7328f17ef5d822bc.pdf",
		"text": "https://archive.orkl.eu/faeb16955c98ff805b693c7f7328f17ef5d822bc.txt",
		"img": "https://archive.orkl.eu/faeb16955c98ff805b693c7f7328f17ef5d822bc.jpg"
	}
}