{ "id": "9145636e-a883-4262-9985-d37b05b6b981", "created_at": "2026-04-06T00:07:22.224164Z", "updated_at": "2026-04-10T03:31:48.795386Z", "deleted_at": null, "sha1_hash": "178110075d0c180936608266eeaac523f2525b2e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55615, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:52:36 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool StrifeWater\n Tool: StrifeWater\nNames\nStrifeWater\nStrifeWater RAT\nCategory Malware\nType Backdoor, Info stealer, Downloader\nDescription\n(Cybereason) The StrifeWater RAT appears to be used in the initial stage of the attack\nand this stealthy RAT has the ability to remove itself from the system to cover the\nIranian group’s tracks. The RAT possesses other capabilities, such as command\nexecution and screen capturing, as well as the ability to download additional extensions.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool StrifeWater\nChanged Name Country Observed\nOther groups\n Moses Staff 2021-Nov 2022\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e5ec8441-5f1e-41fd-8d1b-704ff4fbd541\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e5ec8441-5f1e-41fd-8d1b-704ff4fbd541\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e5ec8441-5f1e-41fd-8d1b-704ff4fbd541" ], "report_names": [ "listgroups.cgi?u=e5ec8441-5f1e-41fd-8d1b-704ff4fbd541" ], "threat_actors": [ { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434042, "ts_updated_at": 1775791908, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/178110075d0c180936608266eeaac523f2525b2e.pdf", "text": "https://archive.orkl.eu/178110075d0c180936608266eeaac523f2525b2e.txt", "img": "https://archive.orkl.eu/178110075d0c180936608266eeaac523f2525b2e.jpg" } }