{ "id": "5283dbc7-2a1d-4598-9eb5-b741183a9d95", "created_at": "2026-04-06T00:19:41.55328Z", "updated_at": "2026-04-10T03:37:55.971209Z", "deleted_at": null, "sha1_hash": "02411fece0ba3bc83add85ecb5cdad33571a09fa", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53606, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:07:01 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BeEF\n Tool: BeEF\nNames BeEF\nCategory Tools\nType Vulnerability scanner\nDescription\nBeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that\nfocuses on the web browser.\nAmid growing concerns about web-borne attacks against clients, including mobile clients,\nBeEF allows the professional penetration tester to assess the actual security posture of a target\nenvironment by using client-side attack vectors. Unlike other security frameworks, BeEF looks\npast the hardened network perimeter and client system, and examines exploitability within the\ncontext of the one open door: the web browser. BeEF will hook one or more web browsers and\nuse them as beachheads for launching directed command modules and further attacks against\nthe system from within the browser context.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool BeEF\nChanged Name Country Observed\nAPT groups\n Rocket Kitten, Newscaster, NewsBeef 2011-2017\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2e0549d-7928-4b60-afaf-85b7a7569b41\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2e0549d-7928-4b60-afaf-85b7a7569b41\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2e0549d-7928-4b60-afaf-85b7a7569b41\r\nPage 2 of 2\n\nAPT groups Rocket Kitten, Newscaster, NewsBeef 2011-2017 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2e0549d-7928-4b60-afaf-85b7a7569b41" ], "report_names": [ "listgroups.cgi?u=b2e0549d-7928-4b60-afaf-85b7a7569b41" ], "threat_actors": [ { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434781, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02411fece0ba3bc83add85ecb5cdad33571a09fa.pdf", "text": "https://archive.orkl.eu/02411fece0ba3bc83add85ecb5cdad33571a09fa.txt", "img": "https://archive.orkl.eu/02411fece0ba3bc83add85ecb5cdad33571a09fa.jpg" } }