{ "id": "1ed40b14-bd69-4228-b8ba-e571306bfde1", "created_at": "2026-04-06T00:16:47.721621Z", "updated_at": "2026-04-10T03:34:23.446937Z", "deleted_at": null, "sha1_hash": "008ba1507e3d491c77ab7659bad31634e3c25fc9", "title": "UAC - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43731, "plain_text": "UAC - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:50:25 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Bypass-UAC\r\n Tool: Bypass-UAC\r\nNames Bypass-UAC\r\nCategory Tools\r\nType Loader\r\nDescription\r\nBypass-UAC provides a framework to perform UAC bypasses based on auto elevating\r\nIFileOperation COM object method calls. This is not a new technique, traditionally, this is\r\naccomplished by injecting a DLL into 'explorer.exe'. This is not desirable because injecting\r\ninto explorer may trigger security alerts and working with unmanaged DLL's makes for an\r\ninflexible work-flow.\r\nInformation\r\n\u003chttps://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Bypass-UAC/Bypass-UAC.ps1\u003e\r\nLast change to this tool card: 10 July 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Bypass-UAC\r\nChanged Name Country Observed\r\nAPT groups\r\n  Evilnum [Unknown] 2018-2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afeb4df6-5641-414d-b056-577367c8b5a7\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afeb4df6-5641-414d-b056-577367c8b5a7\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=afeb4df6-5641-414d-b056-577367c8b5a7" ], "report_names": [ "listgroups.cgi?u=afeb4df6-5641-414d-b056-577367c8b5a7" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434607, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/008ba1507e3d491c77ab7659bad31634e3c25fc9.pdf", "text": "https://archive.orkl.eu/008ba1507e3d491c77ab7659bad31634e3c25fc9.txt", "img": "https://archive.orkl.eu/008ba1507e3d491c77ab7659bad31634e3c25fc9.jpg" } }