{
	"id": "b67a7cef-c74c-4a2d-9713-5a77fcf28b91",
	"created_at": "2026-04-06T00:07:03.331078Z",
	"updated_at": "2026-04-10T03:32:10.400121Z",
	"deleted_at": null,
	"sha1_hash": "fe92cab323a1d7e0bf08df2e810bb8f4309be820",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55217,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 12:05:04 UTC\n APT group: Mikroceen\nNames\nMikroceen (ESET)\nSixLittleMonkeys (Kaspersky)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2017\nDescription\n(ESET) In this joint blogpost with fellow researchers from Avast, we provide a\ntechnical analysis of a constantly developed RAT that has been used in various\ntargeted campaigns against both public and private subjects since late 2017. We\nobserved multiple instances of attacks involving this RAT, and all of them happened\nin Central Asia. Among the targeted subjects were several important companies in\nthe telecommunications and gas industries, and governmental entities.\nMoreover, we connect the dots between the latest campaign and three previously\npublished reports: Kaspersky’s Microcin against Russian military personnel, Palo\nAlto Networks’ BYEBY against the Belarussian government and Checkpoint’s\nVicious Panda against the Mongolian public sector. Also, we discuss other malware\nthat was typically a part of the attacker’s toolset together with the RAT. We chose the\nname Mikroceen to cover all instances of the RAT, in acknowledgement of\nKaspersky’s initial report on the family. The misspelling is intentional, in order to\navoid the established microbiological notion, but also to have at least phonemic\nagreement.\nObserved\nSectors: Defense, Government, Oil and gas, Telecommunications.\nCountries: Belarus, Mongolia, Russia and Central Asia.\nTools used\nGh0st RAT, logon.dll, logsupport.dll, Microcin, Mimikatz, pcaudit.bat,\nsqllauncher.dll.\nOperations performed Mar 2021\nExchange servers under siege from at least 10 APT groups\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=99c03ea2-2c7c-49fc-a513-9f2782b630a7\nPage 1 of 2\n\nInformation\nLast change to this card: 20 April 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=99c03ea2-2c7c-49fc-a513-9f2782b630a7\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=99c03ea2-2c7c-49fc-a513-9f2782b630a7\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=99c03ea2-2c7c-49fc-a513-9f2782b630a7"
	],
	"report_names": [
		"showcard.cgi?u=99c03ea2-2c7c-49fc-a513-9f2782b630a7"
	],
	"threat_actors": [
		{
			"id": "f5c5d5d4-3969-4e34-9982-55144c3908eb",
			"created_at": "2022-10-25T16:07:24.37846Z",
			"updated_at": "2026-04-10T02:00:04.965506Z",
			"deleted_at": null,
			"main_name": "Vicious Panda",
			"aliases": [
				"Bronze Dudley"
			],
			"source_name": "ETDA:Vicious Panda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"BBSRAT",
				"Byeby",
				"Cmstar",
				"Enfal",
				"Lurid",
				"Pylot",
				"RoyalRoad",
				"Travle",
				"meciv"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6",
			"created_at": "2022-10-25T16:07:23.869951Z",
			"updated_at": "2026-04-10T02:00:04.766204Z",
			"deleted_at": null,
			"main_name": "Mikroceen",
			"aliases": [
				"SixLittleMonkeys"
			],
			"source_name": "ETDA:Mikroceen",
			"tools": [
				"AngryRebel",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Microcin",
				"Mikroceen",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"PCRat",
				"logon.dll",
				"logsupport.dll",
				"pcaudit.bat",
				"sqllauncher.dll"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e79c98d-c678-4f28-b869-5723a78e71f4",
			"created_at": "2023-01-06T13:46:39.422441Z",
			"updated_at": "2026-04-10T02:00:03.322083Z",
			"deleted_at": null,
			"main_name": "Vicious Panda",
			"aliases": [
				"SixLittleMonkeys"
			],
			"source_name": "MISPGALAXY:Vicious Panda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20b5fa2f-2ef1-4e69-8275-25927a762f72",
			"created_at": "2025-08-07T02:03:24.573647Z",
			"updated_at": "2026-04-10T02:00:03.765721Z",
			"deleted_at": null,
			"main_name": "BRONZE DUDLEY",
			"aliases": [
				"TA428 ",
				"Temp.Hex ",
				"Vicious Panda "
			],
			"source_name": "Secureworks:BRONZE DUDLEY",
			"tools": [
				"NCCTrojan",
				"PhantomNet",
				"PoisonIvy",
				"Royal Road"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434023,
	"ts_updated_at": 1775791930,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe92cab323a1d7e0bf08df2e810bb8f4309be820.pdf",
		"text": "https://archive.orkl.eu/fe92cab323a1d7e0bf08df2e810bb8f4309be820.txt",
		"img": "https://archive.orkl.eu/fe92cab323a1d7e0bf08df2e810bb8f4309be820.jpg"
	}
}