{ "id": "5c5c6f49-6526-4493-a3d6-0ef0362db8fe", "created_at": "2026-04-06T00:09:55.140832Z", "updated_at": "2026-04-10T03:37:04.152519Z", "deleted_at": null, "sha1_hash": "15a82c5fee4e3c72f2d4c4646d5079272dfcaa20", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48032, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:42:53 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PowerPunch\n Tool: PowerPunch\nNames PowerPunch\nCategory Malware\nType Downloader, Loader\nDescription\n(Microsoft) PowerPunch is executed from within PowerShell as a one-line command,\nencoded using Base64. These binaries also exhibit features that rely on data from the\ncompromised host to inform encryption of the next stage. PowerPunch also provides an\nexcellent example of this. The VolumeSerialNumber of the host serves as the basis for a\nmultibyte XOR key. The key is applied to an executable payload downloaded directly\nfrom adversary infrastructure, allowing for an encryption key unique to the target host.\nUltimately, a next-stage executable is remotely retrieved and dropped to disk prior to\nexecution.\nInformation\nMITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool PowerPunch\nChanged Name Country Observed\nAPT groups\n Gamaredon Group 2013-Feb 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61\r\nPage 2 of 2\n\nAPT groups Gamaredon Group 2013-Feb 2025 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61" ], "report_names": [ "listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434195, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15a82c5fee4e3c72f2d4c4646d5079272dfcaa20.pdf", "text": "https://archive.orkl.eu/15a82c5fee4e3c72f2d4c4646d5079272dfcaa20.txt", "img": "https://archive.orkl.eu/15a82c5fee4e3c72f2d4c4646d5079272dfcaa20.jpg" } }