{ "id": "f9cc28ac-112e-40a7-8b0e-2ec83b796844", "created_at": "2026-04-06T00:08:24.16282Z", "updated_at": "2026-04-10T13:12:25.706716Z", "deleted_at": null, "sha1_hash": "17fe944b141fd0b34d025433c2ab08454465121b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57335, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:52:47 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Remexi\n Tool: Remexi\nNames\nRemexi\nCACHEMONEY\nCategory Malware\nType Backdoor, Keylogger, Info stealer\nDescription\n(Kaspersky) Remexi boasts features that allow it to gather keystrokes, take screenshots\nof windows of interest (as defined in its configuration), steal credentials, logons and the\nbrowser history, and execute remote commands. Encryption consists of XOR with a\nhardcoded key for its configuration and RC4 with a predefined password for encrypting\nthe victim’s data.\nRemexi includes different modules that it deploys in its working directory, including\nconfiguration decryption and parsing, launching victim activity logging in a separate\nmodule, and seven threads for various espionage and auxiliary functions. The Remexi\ndevelopers seem to rely on legitimate Microsoft utilities.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool Remexi\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26363b6b-e756-4ba3-93ab-2513e5352143\nPage 1 of 2\n\nChafer, APT 39 2014-Sep 2020\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26363b6b-e756-4ba3-93ab-2513e5352143\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26363b6b-e756-4ba3-93ab-2513e5352143\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=26363b6b-e756-4ba3-93ab-2513e5352143" ], "report_names": [ "listgroups.cgi?u=26363b6b-e756-4ba3-93ab-2513e5352143" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434104, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17fe944b141fd0b34d025433c2ab08454465121b.pdf", "text": "https://archive.orkl.eu/17fe944b141fd0b34d025433c2ab08454465121b.txt", "img": "https://archive.orkl.eu/17fe944b141fd0b34d025433c2ab08454465121b.jpg" } }