{ "id": "11dbaa8c-23a8-41b4-a5b9-2bb2d45838dd", "created_at": "2026-04-06T00:21:37.898749Z", "updated_at": "2026-04-10T13:12:23.983769Z", "deleted_at": null, "sha1_hash": "0c7d75d4543585079e43e77990accd057243dc53", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42956, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:17:35 UTC\n Other threat group: Parinacota\nNames\nParinacota (Microsoft)\nWine Tempest (Microsoft)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2018\nDescription\n(Microsoft) One actor that has emerged in this trend of human-operated attacks is an active,\nhighly adaptive group that frequently drops Wadhrama as payload. Microsoft has been\ntracking this group for some time, but now refers to them as PARINACOTA, using our new\nnaming designation for digital crime actors based on global volcanoes.\nPARINACOTA impacts three to four organizations every week and appears quite resourceful:\nduring the 18 months that we have been monitoring it, we have observed the group change\ntactics to match its needs and use compromised machines for various purposes, including\ncryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals\nand payloads have shifted over time, influenced by the type of compromised infrastructure, but\nin recent months, they have mostly deployed the Wadhrama ransomware.\nThe group most often employs a smash-and-grab method, whereby they attempt to infiltrate a\nmachine in a network and proceed with subsequent ransom in less than an hour. There are\noutlier campaigns in which they attempt reconnaissance and lateral movement, typically when\nthey land on a machine and network that allows them to quickly and easily move throughout\nthe environment.\nObserved Countries: Worldwide.\nTools used Mimikatz, ProcDump, Wadhrama.\nInformation\nLast change to this card: 26 April 2023\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5d8fa8b4-2ed3-47ae-a21b-86e8dd17773b\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5d8fa8b4-2ed3-47ae-a21b-86e8dd17773b\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5d8fa8b4-2ed3-47ae-a21b-86e8dd17773b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5d8fa8b4-2ed3-47ae-a21b-86e8dd17773b" ], "report_names": [ "showcard.cgi?u=5d8fa8b4-2ed3-47ae-a21b-86e8dd17773b" ], "threat_actors": [ { "id": "930dc6a9-03bf-4b84-877c-70fd006b8a33", "created_at": "2025-03-29T02:05:20.729462Z", "updated_at": "2026-04-10T02:00:03.86406Z", "deleted_at": null, "main_name": "GOLD ORION", "aliases": [ "Wine Tempest " ], "source_name": "Secureworks:GOLD ORION", "tools": [ "Dharma" ], "source_id": "Secureworks", "reports": null }, { "id": "b774174f-aeca-4ea8-8f2a-b4a70a2a0b85", "created_at": "2023-01-06T13:46:39.451474Z", "updated_at": "2026-04-10T02:00:03.333575Z", "deleted_at": null, "main_name": "PARINACOTA", "aliases": [ "Wine Tempest" ], "source_name": "MISPGALAXY:PARINACOTA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "703c2493-d713-4697-a691-4c2e09c032e9", "created_at": "2022-10-25T16:07:24.53647Z", "updated_at": "2026-04-10T02:00:05.025223Z", "deleted_at": null, "main_name": "Parinacota", "aliases": [ "Wine Tempest" ], "source_name": "ETDA:Parinacota", "tools": [ "Mimikatz", "ProcDump", "Wadhrama" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434897, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c7d75d4543585079e43e77990accd057243dc53.pdf", "text": "https://archive.orkl.eu/0c7d75d4543585079e43e77990accd057243dc53.txt", "img": "https://archive.orkl.eu/0c7d75d4543585079e43e77990accd057243dc53.jpg" } }