{ "id": "661b0fc4-dab2-4b4b-b443-d13ca0505e05", "created_at": "2026-04-06T00:14:34.610773Z", "updated_at": "2026-04-10T03:25:12.833575Z", "deleted_at": null, "sha1_hash": "033d50a761dcdb85d7bdc5d558e93f3c63fe91fc", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47620, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:32:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool QueenOfHearts\n Tool: QueenOfHearts\nNames QueenOfHearts\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Kaspersky) While it does not contain the anti-analysis countermeasures of its cousin, the rest\nof its features and overall design decisions map to KingOfHearts almost one to one.\nQueenOfHearts seems to have appeared somewhere in 2017. It is the family designated as\nPowerPool by our esteemed colleagues from ESET.\nQueenOfHearts also interacts with its C2 server over HTTP. It sends simple GET requests\ncontaining a backdoor identifier and optional victim machine information, then reads orders\nlocated in the cookie header of the reply. Orders come in the form of two-letter codes (e.g.:\n“xe” to list drives) which tend to vary between samples. As of today, this family is still in\nactive development, and we have observed code refactoring as well as incremental upgrades\nover 2020. For instance, earlier backdoor responses were sent as base64-encoded payloads in\nPOST requests. They are now compressed beforehand, and additionally supplied through the\ncookie header.\nInformation Last change to this tool card: 19 October 2020\nDownload this tool card in JSON format\nAll groups using tool QueenOfHearts\nChanged Name Country Observed\nAPT groups\n IAmTheKing 2018\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb7ca7d2-3c84-4f3d-a29e-5a759cc35ea0\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb7ca7d2-3c84-4f3d-a29e-5a759cc35ea0\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb7ca7d2-3c84-4f3d-a29e-5a759cc35ea0\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=eb7ca7d2-3c84-4f3d-a29e-5a759cc35ea0" ], "report_names": [ "listgroups.cgi?u=eb7ca7d2-3c84-4f3d-a29e-5a759cc35ea0" ], "threat_actors": [ { "id": "3262c97f-3311-49f5-807c-bcea4d8c9924", "created_at": "2022-10-25T16:07:23.717772Z", "updated_at": "2026-04-10T02:00:04.725048Z", "deleted_at": null, "main_name": "IAmTheKing", "aliases": [], "source_name": "ETDA:IAmTheKing", "tools": [ "JackOfHearts", "KingOfHearts", "LaZagne", "Mimikatz", "ProcDump", "PsExec", "QueenOfClubs", "QueenOfHearts", "SLOTHFULMEDIA", "SlothfulMedia" ], "source_id": "ETDA", "reports": null }, { "id": "62985c5c-6938-4365-8432-29573e99ecf4", "created_at": "2022-10-25T16:07:24.075092Z", "updated_at": "2026-04-10T02:00:04.859737Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [], "source_name": "ETDA:PowerPool", "tools": [ "ALPC Local PrivEsc", "FireMaster", "PowerDump", "PowerSploit", "Quarks PwDump", "SMBExec" ], "source_id": "ETDA", "reports": null }, { "id": "adee5dfb-98d1-488f-969d-48eed28cd7e4", "created_at": "2023-01-06T13:46:38.799427Z", "updated_at": "2026-04-10T02:00:03.105089Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [ "IAmTheKing" ], "source_name": "MISPGALAXY:PowerPool", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434474, "ts_updated_at": 1775791512, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/033d50a761dcdb85d7bdc5d558e93f3c63fe91fc.pdf", "text": "https://archive.orkl.eu/033d50a761dcdb85d7bdc5d558e93f3c63fe91fc.txt", "img": "https://archive.orkl.eu/033d50a761dcdb85d7bdc5d558e93f3c63fe91fc.jpg" } }