{ "id": "0173effd-d3a3-47e2-a023-6c25e9f50215", "created_at": "2026-04-06T01:30:27.924765Z", "updated_at": "2026-04-10T13:12:55.833599Z", "deleted_at": null, "sha1_hash": "0692dd798eab7c2056b47717594d2ea9b71171ce", "title": "Subgroup: [Unnamed group USA] - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62178, "plain_text": "Subgroup: [Unnamed group USA] - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-06 00:41:23 UTC\r\nHome \u003e List all groups \u003e Subgroup: [Unnamed group USA]\r\n APT group: Subgroup: [Unnamed group USA]\r\nNames [Unnamed group USA] (?)\r\nCountry USA\r\nSponsor State-sponsored, CIA\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription A subgroup of the CIA.\r\n(ClearSky) Over the last few weeks, several significant leaks regarding a number of\r\nIranian APTs took place. After analyzing and investigating the documents we\r\nconclude that they are authentic. Consequently, this causes considerable harm to the\r\ngroups and their operation. The identity of the actor behind the leak is currently\r\nunknown, however based on the scope and the quality of the exposed documents and\r\ninformation, it appears that they are professional and highly capable. This leak will\r\nlikely hamstring the groups’ operation in the near future. Accordingly, in our\r\nassessment this will minimize the risk of potential attacks in the next few months\r\nand possibly even year. Note –most of the leaks are posted on Telegram channels\r\nthat were created specifically for this purpose.\r\nBelow are the three main Telegram groups on which the leaks were posted:\r\n• Lab Dookhtegam pseudonym (“The people whose lips are stitched and sealed” –\r\ntranslation from Persian) –In this channel attack tools attributed to the group\r\n‘OilRig, APT 34, Helix Kitten, Chrysene’ were leaked; including a webshell that was\r\ninserted into the Technion, various tools that were used for DNS attacks, and more.\r\n• Green Leakers–In this channel attack tools attributed to the group ‘MuddyWater,\r\nSeedworm, TEMP.Zagros, Static Kitten’ were leaked. The group’s name and its\r\nsymbol are identified with the “green movement”, which led the protests in Iran after\r\nthe Presidential elections in 2009. These protests were heavily repressed by the\r\nrevolutionary guards (IRGC)\r\n• Black Box–Unlike the previous two channels this has been around for a long time.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d4ccac4c-06b7-4b12-af53-7b96e160055a\r\nPage 1 of 2\n\nOn Friday May 5th, dozens of confidential documents labeled as “secret” (a high\nconfidentiality level in Iran, one before the highest –top secret) were posted on this\nchannel. The documents were related to Iranian attack groups’ activity. See\n[Unnamed groups: Iran].\nObserved Countries: China, Iran, North Korea, Russia.\nTools used\nOperations performed\nJul 2019\nHackers breach FSB contractor, expose Tor deanonymization\nproject and more\nMar 2020\nHackers breach FSB contractor and leak details about IoT hacking\nproject\nInformation\nLast change to this card: 11 March 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d4ccac4c-06b7-4b12-af53-7b96e160055a\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d4ccac4c-06b7-4b12-af53-7b96e160055a\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d4ccac4c-06b7-4b12-af53-7b96e160055a" ], "report_names": [ "showcard.cgi?u=d4ccac4c-06b7-4b12-af53-7b96e160055a" ], "threat_actors": [ { "id": "65c27056-1931-4600-aee6-7883b1c819ae", "created_at": "2022-10-25T16:07:23.463834Z", "updated_at": "2026-04-10T02:00:04.619054Z", "deleted_at": null, "main_name": "[Unnamed group USA]", "aliases": [ "[Unnamed group USA]" ], "source_name": "ETDA:[Unnamed group USA]", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c1f1d9ce-ad31-49db-9f82-cc0dd12374da", "created_at": "2023-01-06T13:46:39.006986Z", "updated_at": "2026-04-10T02:00:03.17886Z", "deleted_at": null, "main_name": "[Unnamed group]", "aliases": [], "source_name": "MISPGALAXY:[Unnamed group]", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "e453f9aa-a448-48c0-afcb-6495f5becdb9", "created_at": "2024-03-11T02:02:37.090237Z", "updated_at": "2026-04-10T02:00:04.989739Z", "deleted_at": null, "main_name": "[Unnamed groups: Iran]", "aliases": [], "source_name": "ETDA:[Unnamed groups: Iran]", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439027, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0692dd798eab7c2056b47717594d2ea9b71171ce.pdf", "text": "https://archive.orkl.eu/0692dd798eab7c2056b47717594d2ea9b71171ce.txt", "img": "https://archive.orkl.eu/0692dd798eab7c2056b47717594d2ea9b71171ce.jpg" } }