{ "id": "ced20c95-aa1d-4f0b-b2b9-9fe4ca0a92b2", "created_at": "2026-04-06T00:22:08.75069Z", "updated_at": "2026-04-10T03:37:41.099348Z", "deleted_at": null, "sha1_hash": "150859aa277973f6b1e67f5415866d0f0a64fe2a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54180, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:43:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BabyShark\n Tool: BabyShark\nNames\nBabyShark\nLATEOP\nCategory Malware\nType Reconnaissance, Backdoor\nDescription\nBabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in\nNovember 2018. The malware is launched by executing the first stage HTA from a\nremote location, thus it can be delivered via different file types including PE files as\nwell as malicious documents. It exfiltrates system information to C2 server, maintains\npersistence on the system, and waits for further instruction from the operator.\n(Palo Alto) Based on our research, it appears the malware author calls the encoded\nsecondary payload “Cowboy” regardless of what malware family is delivered.\nIn our analysis, we found BabyShark attacks were using KimJongRAT and Gh0st RAT\nas the encoded secondary payload and thus were the “Cowboys”.\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 November 2023\nDownload this tool card in JSON format\nAll groups using tool BabyShark\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6740d62a-db55-4938-a560-47d7ff7a529c\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Kimsuky, Velvet Chollima 2012-Aug 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6740d62a-db55-4938-a560-47d7ff7a529c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6740d62a-db55-4938-a560-47d7ff7a529c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6740d62a-db55-4938-a560-47d7ff7a529c" ], "report_names": [ "listgroups.cgi?u=6740d62a-db55-4938-a560-47d7ff7a529c" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434928, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/150859aa277973f6b1e67f5415866d0f0a64fe2a.pdf", "text": "https://archive.orkl.eu/150859aa277973f6b1e67f5415866d0f0a64fe2a.txt", "img": "https://archive.orkl.eu/150859aa277973f6b1e67f5415866d0f0a64fe2a.jpg" } }