{ "id": "777aea97-cc73-41b7-9822-1a52bf6b6c19", "created_at": "2026-04-06T00:12:25.641385Z", "updated_at": "2026-04-10T13:12:16.452885Z", "deleted_at": null, "sha1_hash": "fee83c7177204769c92c2aefb39ebe862aef0aa3", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48357, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:42:27 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GUNTERS\n Tool: GUNTERS\nNames GUNTERS\nCategory Malware\nType Loader\nDescription\n(SentinelLabs) During our analysis of Moshen Dragon’s activities, we came across a passive\nloader previously discussed by Avast as ‘GUNTERS’. This backdoor appears to be highly\ntargeted as it performs checks to verify that it is executed on the right machine.\nBefore execution, the malware calculates the hash of the machine hostname and compares it to\na hardcoded value, suggesting that the threat actor generates a different DLL for each target\nmachine.\nInformation\nLast change to this tool card: 03 May 2022\nDownload this tool card in JSON format\nAll groups using tool GUNTERS\nChanged Name Country Observed\nAPT groups\n RedFoxtrot 2014-Aug 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7281a8c8-1920-4367-b98b-198cd8f49d3a\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7281a8c8-1920-4367-b98b-198cd8f49d3a\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7281a8c8-1920-4367-b98b-198cd8f49d3a" ], "report_names": [ "listgroups.cgi?u=7281a8c8-1920-4367-b98b-198cd8f49d3a" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "df299f24-89cb-47e3-9515-c018bb501443", "created_at": "2023-11-21T02:00:07.383392Z", "updated_at": "2026-04-10T02:00:03.473887Z", "deleted_at": null, "main_name": "Moshen Dragon", "aliases": [], "source_name": "MISPGALAXY:Moshen Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434345, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fee83c7177204769c92c2aefb39ebe862aef0aa3.pdf", "text": "https://archive.orkl.eu/fee83c7177204769c92c2aefb39ebe862aef0aa3.txt", "img": "https://archive.orkl.eu/fee83c7177204769c92c2aefb39ebe862aef0aa3.jpg" } }