{
	"id": "b2e58154-2cd2-4615-9889-25afa4c45a75",
	"created_at": "2026-04-06T00:17:09.47932Z",
	"updated_at": "2026-04-10T13:11:58.129796Z",
	"deleted_at": null,
	"sha1_hash": "142a2d33c5b23f680eba345c6082aecb3dd09aa9",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31279,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 11:33:33 UTC\r\n(US-CERT) This file is a malicious 32-bit Windows executable. Analysis indicates the primary purpose of this\r\napplication is to destroy a compromised Windows system by overwriting and deleting the Master Boot Record\r\n(MBR) on the victim's system and deleting files on network mapped shares as well as physically attached storage\r\ndevices.\r\nThe malware must be executed from a command line using any alphanumeric character or string as an argument.\r\nOnce executed, themalware first attempts to disable the 'System Event Notification' and 'Alerter' services.\r\nNote: The Alerter service is present in Windows XP and Windows 2003, which are no longer supported by\r\nMicrosoft. Current operating systems supported by Microsoft do not run the Alerter service.\r\nNext, the malware overwrites the MBR, displaying a status in the command (CMD) window. If the malware is\r\nable to overwrite the MBR, an 'OK' status is displayed in the CMD window. If the malware is unable to overwrite\r\nthe MBR, a 'Fail' status is displayed.\r\nAfter the MBR is overwritten, the malware attempts to gain access to physical and network drives attached to the\r\nvictim's system and recursively enumerate through the drive’s contents. When the malware identifies a file, it\r\noverwrites the file's contents with NULL bytes, renames the file with a randomly generated file name, then deletes\r\nthe file, making forensic recovery impossible.\r\nIf the malware is able to overwrite, rename and delete the file, the CMD window will display a 'Break\u003e' status. If\r\nthe malware is only able to delete the file, the CMD window will display a 'Del\u003e' status.\r\nOnce the malware has completed deleting files, the system is rebooted. If the malware has executed successfully,\r\nthe system is rendered inoperative.\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c233247d-9333-41c5-ac32-8910a5f357e4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c233247d-9333-41c5-ac32-8910a5f357e4\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c233247d-9333-41c5-ac32-8910a5f357e4"
	],
	"report_names": [
		"listgroups.cgi?u=c233247d-9333-41c5-ac32-8910a5f357e4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434629,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/142a2d33c5b23f680eba345c6082aecb3dd09aa9.pdf",
		"text": "https://archive.orkl.eu/142a2d33c5b23f680eba345c6082aecb3dd09aa9.txt",
		"img": "https://archive.orkl.eu/142a2d33c5b23f680eba345c6082aecb3dd09aa9.jpg"
	}
}