{ "id": "da832293-b0b4-419a-a446-a479713fff09", "created_at": "2026-04-06T00:17:43.697665Z", "updated_at": "2026-04-10T13:11:55.526783Z", "deleted_at": null, "sha1_hash": "07838bba3b9a02a26087aa8924fac43793fcf8f1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46274, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:12:30 UTC\n APT group: DarkUniverse\nNames DarkUniverse (Kaspersky)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2017\nDescription\n(Kaspersky) DarkUniverse is an interesting example of a full cyber-espionage framework used\nfor at least eight years. The malware contains all the necessary modules for collecting all kinds\nof information about the user and the infected system and appears to be fully developed from\nscratch. Due to unique code overlaps, we assume with medium confidence that\nDarkUniverse’s creators were connected with the ItaDuke set of activities. The attackers were\nresourceful and kept updating their malware during the full lifecycle of their operations, so the\nobserved samples from 2017 are totally different from the initial samples from 2009. The\nsuspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak,\nor the attackers may simply have decided to switch to more modern approaches and start using\nmore widely available artefacts for their operations.\nObserved\nSectors: Defense and civilian.\nCountries: Afghanistan, Belarus, Ethiopia, Iran, Russia, Sudan, Syria, Tanzania, UAE and\nothers.\nTools used dfrgntfs5.sqt, glue30.dll, msvcrt58.sqt, updater.mod, zl4vq.sqt.\nInformation Last change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f5cf306f-3554-4346-8709-96aab00ee577\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f5cf306f-3554-4346-8709-96aab00ee577\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f5cf306f-3554-4346-8709-96aab00ee577" ], "report_names": [ "showcard.cgi?u=f5cf306f-3554-4346-8709-96aab00ee577" ], "threat_actors": [ { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59ce37c7-ce10-4cc3-ab27-c784a8a0898a", "created_at": "2022-10-25T16:07:23.534403Z", "updated_at": "2026-04-10T02:00:04.645423Z", "deleted_at": null, "main_name": "DarkUniverse", "aliases": [], "source_name": "ETDA:DarkUniverse", "tools": [ "dfrgntfs5.sqt", "glue30.dll", "msvcrt58.sqt", "updater.mod", "zl4vq.sqt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434663, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07838bba3b9a02a26087aa8924fac43793fcf8f1.pdf", "text": "https://archive.orkl.eu/07838bba3b9a02a26087aa8924fac43793fcf8f1.txt", "img": "https://archive.orkl.eu/07838bba3b9a02a26087aa8924fac43793fcf8f1.jpg" } }