{
	"id": "642b9e8a-8f6d-4540-a41c-5a7ed988fa6b",
	"created_at": "2026-04-06T00:12:22.811892Z",
	"updated_at": "2026-04-10T03:31:48.410927Z",
	"deleted_at": null,
	"sha1_hash": "150f77481cc6d1225b62d641c5fa24554aba7806",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47680,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:44:23 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool TESDAT\r\n Tool: TESDAT\r\nNames TESDAT\r\nCategory Malware\r\nType Loader\r\nDescription\r\n(Trend Micro) The newer loader we later found is called TESDAT. It always loads a payload\r\nfile with a “.dat” extension (like “mns.dat”). Instead of using common APIs like CreateThread\r\nto execute the decoded shellcode, it always calls an API called “SwitchToFiber,” which we\r\nthink is an attempt to avoid detection. Our analysis showed two variants for TESDAT loaders.\r\nIt can be either an EXE file or a DLL file with an export function called “Init.”\r\nInformation \u003chttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\u003e\r\nLast change to this tool card: 27 June 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool TESDAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Earth Kurma 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6eeb5092-faf7-494c-ab70-73d5451acaf8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6eeb5092-faf7-494c-ab70-73d5451acaf8\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6eeb5092-faf7-494c-ab70-73d5451acaf8"
	],
	"report_names": [
		"listgroups.cgi?u=6eeb5092-faf7-494c-ab70-73d5451acaf8"
	],
	"threat_actors": [
		{
			"id": "222835b0-22fb-406e-8fd5-f36dae694212",
			"created_at": "2025-06-29T02:01:56.985922Z",
			"updated_at": "2026-04-10T02:00:04.666399Z",
			"deleted_at": null,
			"main_name": "Earth Kurma",
			"aliases": [],
			"source_name": "ETDA:Earth Kurma",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DMLOADER",
				"DUNLOADER",
				"KRNRAT",
				"Moriya",
				"ODRIZ",
				"SIMPOBOXSPY",
				"TESDAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f161dc2b-a18e-43b9-9786-2285bc745a10",
			"created_at": "2025-05-29T02:00:03.214326Z",
			"updated_at": "2026-04-10T02:00:03.867482Z",
			"deleted_at": null,
			"main_name": "Earth Kurma",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Kurma",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434342,
	"ts_updated_at": 1775791908,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/150f77481cc6d1225b62d641c5fa24554aba7806.pdf",
		"text": "https://archive.orkl.eu/150f77481cc6d1225b62d641c5fa24554aba7806.txt",
		"img": "https://archive.orkl.eu/150f77481cc6d1225b62d641c5fa24554aba7806.jpg"
	}
}