{ "id": "5544601c-56ad-435b-bb12-6eb3ae00dd32", "created_at": "2026-04-06T00:19:40.509856Z", "updated_at": "2026-04-10T03:31:42.194378Z", "deleted_at": null, "sha1_hash": "1273405956ca170c783d45e26d1a56cf47dbc8f5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56392, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:11:01 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CASHY200\n Tool: CASHY200\nNames CASHY200\nCategory Malware\nType Backdoor, Tunneling\nDescription\n(Palo Alto) During our continued analysis of the xHunt campaign, we observed several\ndomains with ties to the pasta58[.]com domain associated with known Sakabota command and\ncontrol (C2) activity. In June 2019, we observed one of these overlapping domains,\nspecifically, windows64x[.]com, being used as the C2 server for a new PowerShell based\nbackdoor that we’ve named CASHY200. This PowerShell backdoor used DNS tunneling to\ncommunicate with its C2 server, specifically by issuing DNS A queries to the actor controlled\nname server at the aforementioned domain. CASHY200 parses data provided by the C2 server\nwithin DNS answers to run commands on the system and send the results back to the C2 via\nDNS queries. In several samples, CASHY200 used randomly generated identifiers that are\nstored in the registry at HKCU\\Software\\Microsoft\\Cashe\\index and used the command value\n200 to communicate with the C2 server. These details are the basis for the name CASHY200.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool CASHY200\nChanged Name Country Observed\nAPT groups\n xHunt 2018-Aug 2019\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41361ba3-bb89-463f-b716-f7428933462f\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41361ba3-bb89-463f-b716-f7428933462f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41361ba3-bb89-463f-b716-f7428933462f\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=41361ba3-bb89-463f-b716-f7428933462f" ], "report_names": [ "listgroups.cgi?u=41361ba3-bb89-463f-b716-f7428933462f" ], "threat_actors": [ { "id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb", "created_at": "2022-10-25T16:07:24.432777Z", "updated_at": "2026-04-10T02:00:04.986077Z", "deleted_at": null, "main_name": "xHunt", "aliases": [ "Cobalt Katana", "Hive0081", "Hunter Serpens", "SectorD01" ], "source_name": "ETDA:xHunt", "tools": [ "CASHY200", "COLDTRAIN", "Gon", "Hisoka", "Killua", "Netero", "SHELLSTING", "Sakabota", "Snugy", "TriFive" ], "source_id": "ETDA", "reports": null }, { "id": "c5a103eb-08af-410b-b11d-3635f4d4a3eb", "created_at": "2025-08-07T02:03:24.756187Z", "updated_at": "2026-04-10T02:00:03.667108Z", "deleted_at": null, "main_name": "COBALT KATANA", "aliases": [ "Hive0081 ", "SectorD01 ", "xHunt campaign " ], "source_name": "Secureworks:COBALT KATANA", "tools": [ "CASHY200", "Diezen", "Eye", "Gon", "Hisoka", "Hisoka Netero", "HyphenShell", "Killua", "Sakabota", "Sakabota Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434780, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1273405956ca170c783d45e26d1a56cf47dbc8f5.pdf", "text": "https://archive.orkl.eu/1273405956ca170c783d45e26d1a56cf47dbc8f5.txt", "img": "https://archive.orkl.eu/1273405956ca170c783d45e26d1a56cf47dbc8f5.jpg" } }