{ "id": "038a591c-53d5-48bc-adfb-e23d8ac75c68", "created_at": "2026-04-06T01:31:05.968076Z", "updated_at": "2026-04-10T03:37:09.431939Z", "deleted_at": null, "sha1_hash": "0e792d021d4bd1a46751b0035a29d70691d99ad1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75179, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:49:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NotPetya\n Tool: NotPetya\nNames\nNotPetya\nEternalPetya\nExPetr\nPnyetya\nPetna\nNyetya\nNonPetya\nnPetya\nPetrwrap\nDiskcoder.C\nGoldenEye\nCategory Malware\nType Ransomware, Wiper, Worm, Remote command\nDescription\n(US-CERT) On June 27, 2017, NCCIC was notified of Petya malware events occurring in\nmultiple countries and affecting multiple sectors. This variant of the Petya malware—\nreferred to as NotPetya—encrypts files with extensions from a hard-coded list.\nAdditionally, if the malware gains administrator rights, it encrypts the master boot record\n(MBR), making the infected Windows computers unusable. NotPetya differs from previous\nPetya malware primarily in its propagation methods.\nNotPetya leverages multiple propagation methods to spread within an infected network.\nAccording to malware analysis, NotPetya attempts the lateral movement techniques below:\n• PsExec - a legitimate Windows administration tool\n• WMI - Windows Management Instrumentation, a legitimate Windows component\n• EternalBlue - the same Windows SMBv1 exploit used by WannaCry\n• EternalRomance - another Windows SMBv1 exploit\nInformation\n\nb85626af34ef_story.html\u003e\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1c756d0-c922-45d9-94d5-fb355f523add\nPage 2 of 3\n\nMITRE ATT\u0026CK Malpedia\nAlienVault OTX Last change to this tool card: 21 May 2020\nDownload this tool card in JSON format\nAll groups using tool NotPetya\nChanged Name Country Observed\nAPT groups\n TeleBots 2015-Oct 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1c756d0-c922-45d9-94d5-fb355f523add\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1c756d0-c922-45d9-94d5-fb355f523add\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f1c756d0-c922-45d9-94d5-fb355f523add" ], "report_names": [ "listgroups.cgi?u=f1c756d0-c922-45d9-94d5-fb355f523add" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439065, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e792d021d4bd1a46751b0035a29d70691d99ad1.pdf", "text": "https://archive.orkl.eu/0e792d021d4bd1a46751b0035a29d70691d99ad1.txt", "img": "https://archive.orkl.eu/0e792d021d4bd1a46751b0035a29d70691d99ad1.jpg" } }