{ "id": "ebd105ab-280b-4ecd-9635-3d002f24353a", "created_at": "2026-04-06T00:12:10.227415Z", "updated_at": "2026-04-10T03:23:17.997108Z", "deleted_at": null, "sha1_hash": "1357a684c67340ed29d302789a1da08e424fb859", "title": "Olympic Destroyer - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55168, "plain_text": "Olympic Destroyer - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 17:13:08 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Olympic Destroyer\n Tool: Olympic Destroyer\nNames\nOlympic Destroyer\nSOURGRAPE\nCategory Malware\nType Credential stealer, Wiper, Worm, Remote command\nDescription\n(Kaspersky) The main malware module is a network worm that consists of multiple\ncomponents, including a legitimate PsExec tool from SysInternals’ suite, a few\ncredential stealer modules and a wiper. From a technical perspective, the purpose of the\nmalware is to deliver and start the wiper payload which attempts to destroy files on the\nremote network shares over the next 60 minutes. Meanwhile, the main module collects\nuser passwords from browser and Windows storage and crafts a new generation of the\nworm that contains old and freshly collected compromised credentials. The new\ngeneration of the worm is pushed to accessible local network computers and starts using\nthe PsExec tool, leveraging the collected credentials and current user privileges.\nOnce the wiper has run for 60 minutes it cleans Windows event logs, resets backups,\ndeletes shadow copies from the file system, disables the recovery item in the Windows\nboot menu, disables all the services on the system and reboots the computer. Those files\non the network shares that it managed to wipe within 60 minutes remain destroyed. The\nmalware doesn’t use any persistence and even contains protection (also a killswitch)\nagainst recurring reinfection. Incidentally, only 1MB of the remote files are fully\noverwritten with zeroes; larger files were wiped with just 1K of zeroes in the header.\nThe local files are not destroyed and the worm doesn’t wipe itself or its components.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0662a96f-61af-4f1c-b978-9f42d155cf0c\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool Olympic Destroyer\nChanged Name Country Observed\nAPT groups\n Hades 2017-Oct 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0662a96f-61af-4f1c-b978-9f42d155cf0c\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0662a96f-61af-4f1c-b978-9f42d155cf0c\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0662a96f-61af-4f1c-b978-9f42d155cf0c" ], "report_names": [ "listgroups.cgi?u=0662a96f-61af-4f1c-b978-9f42d155cf0c" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434330, "ts_updated_at": 1775791397, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1357a684c67340ed29d302789a1da08e424fb859.pdf", "text": "https://archive.orkl.eu/1357a684c67340ed29d302789a1da08e424fb859.txt", "img": "https://archive.orkl.eu/1357a684c67340ed29d302789a1da08e424fb859.jpg" } }