{
	"id": "4622c42a-a7c1-40fb-a153-857dc50b766c",
	"created_at": "2026-04-06T00:14:02.974579Z",
	"updated_at": "2026-04-10T13:12:10.024405Z",
	"deleted_at": null,
	"sha1_hash": "1534cf884b6987b6c04b351efcfa4d53c19e037f",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50363,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:24:17 UTC\n Other threat group: Karakurt\nNames\nKarakurt (self given)\nMushy Scorpius (Palo Alto)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2021\nDescription\n(Accenture) Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across\nmultiple geographies. The threat group is financially motivated, opportunistic in\nnature, and so far, appears to target smaller companies or corporate subsidiaries\nversus the alternative big game hunting approach. Based on intrusion analysis to\ndate, the threat group focuses solely on data exfiltration and subsequent extortion,\nrather than the more destructive ransomware deployment. In addition, Accenture\nSecurity assesses with moderate-to-high confidence that the threat group’s extortion\napproach includes steps to avoid, as much as possible, drawing attention to its\nactivities.\nObserved\nSectors: Energy, Entertainment, Healthcare, Hospitality, Industrial, Manufacturing,\nRetail, Technology.\nCountries: USA and Europe.\nTools used 7-Zip, AnyDesk, Cobalt Strike, FileZilla, Mimikatz, WinZip, Living off the Land.\nOperations performed Sep 2022\nMigration policy org confirms cyberattack after extortion group\ntouts theft\nInformation\nLast change to this card: 27 June 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a0013d64-bbae-4488-876b-b8ee9d364f3a\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a0013d64-bbae-4488-876b-b8ee9d364f3a\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a0013d64-bbae-4488-876b-b8ee9d364f3a\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a0013d64-bbae-4488-876b-b8ee9d364f3a"
	],
	"report_names": [
		"showcard.cgi?u=a0013d64-bbae-4488-876b-b8ee9d364f3a"
	],
	"threat_actors": [
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434442,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1534cf884b6987b6c04b351efcfa4d53c19e037f.pdf",
		"text": "https://archive.orkl.eu/1534cf884b6987b6c04b351efcfa4d53c19e037f.txt",
		"img": "https://archive.orkl.eu/1534cf884b6987b6c04b351efcfa4d53c19e037f.jpg"
	}
}