{ "id": "09466993-0785-429b-8dee-5bd88589ba08", "created_at": "2026-04-06T00:17:59.521125Z", "updated_at": "2026-04-10T03:28:34.724031Z", "deleted_at": null, "sha1_hash": "07069fdc59eed10a728596d61c56683070d1b7e4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50041, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:27:53 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CHAINSHOT\n Tool: CHAINSHOT\nNames CHAINSHOT\nCategory Malware\nType Downloader\nDescription\n(Palo Alto) We uncovered part of a new toolkit which was used as a downloader alongside\nAdobe Flash exploit CVE-2018-5002 to target victims in the Middle East. This was\npossible because the attacker made a mistake in using insecure 512-bit RSA encryption.\nThe malware sends user information encrypted to the attacker server and attempts to\ndownload a final stage implant. It was allegedly developed with the help of an unknown\nframework and makes extensive use of custom error handling. Because the attacker made\nanother mistake in using the same SSL certificate for similar attacks, we were able to\nuncover additional infrastructure indicating a larger campaign.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool CHAINSHOT\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=da13a57a-3d8e-4c94-bbd1-107ba0629882\nPage 1 of 2\n\nSandCat 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=da13a57a-3d8e-4c94-bbd1-107ba0629882\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=da13a57a-3d8e-4c94-bbd1-107ba0629882\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=da13a57a-3d8e-4c94-bbd1-107ba0629882" ], "report_names": [ "listgroups.cgi?u=da13a57a-3d8e-4c94-bbd1-107ba0629882" ], "threat_actors": [ { "id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d", "created_at": "2023-01-06T13:46:38.931567Z", "updated_at": "2026-04-10T02:00:03.149736Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "MISPGALAXY:SandCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d", "created_at": "2022-10-25T16:07:24.149987Z", "updated_at": "2026-04-10T02:00:04.882099Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "ETDA:SandCat", "tools": [ "CHAINSHOT", "FinFisher", "FinFisher RAT", "FinSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434679, "ts_updated_at": 1775791714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07069fdc59eed10a728596d61c56683070d1b7e4.pdf", "text": "https://archive.orkl.eu/07069fdc59eed10a728596d61c56683070d1b7e4.txt", "img": "https://archive.orkl.eu/07069fdc59eed10a728596d61c56683070d1b7e4.jpg" } }