{ "id": "8fc36624-1b0a-4546-96aa-3f82e9f14268", "created_at": "2026-04-06T00:11:39.00878Z", "updated_at": "2026-04-10T13:11:51.342874Z", "deleted_at": null, "sha1_hash": "0eb3bf2605b305714e6f811c9278e68ec4f42667", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52894, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 12:11:38 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DanDrop\r\n Tool: DanDrop\r\nNames DanDrop\r\nCategory Malware\r\nType Dropper\r\nDescription\r\n(SecureWorks) The threat actors use this malicious macro to extract the DanBot payload from\r\nthe weaponized document and then Base64-decode and install the malware using a scheduled\r\ntask. The basic form and function of the macro have remained constant across analyzed\r\nsamples, but the threat actors have made incremental improvements to obfuscate the macro\r\nand refactor some of the functionality.\r\nInformation \u003chttps://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool DanDrop\r\nChanged Name Country Observed\r\nAPT groups\r\n  Hexane 2017-Jun 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=580fa928-850c-4a8e-9b58-406a68f57e13\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=580fa928-850c-4a8e-9b58-406a68f57e13\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=580fa928-850c-4a8e-9b58-406a68f57e13" ], "report_names": [ "listgroups.cgi?u=580fa928-850c-4a8e-9b58-406a68f57e13" ], "threat_actors": [ { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434299, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0eb3bf2605b305714e6f811c9278e68ec4f42667.pdf", "text": "https://archive.orkl.eu/0eb3bf2605b305714e6f811c9278e68ec4f42667.txt", "img": "https://archive.orkl.eu/0eb3bf2605b305714e6f811c9278e68ec4f42667.jpg" } }