{
	"id": "e668f63c-3645-4076-a6dd-16a4ecb89fc1",
	"created_at": "2026-04-06T03:36:49.850396Z",
	"updated_at": "2026-04-10T03:34:02.922723Z",
	"deleted_at": null,
	"sha1_hash": "182f048515c7bf8aac7dd677dbf5caaeac166a13",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53715,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 02:57:18 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SHAPESHIFT\r\n Tool: SHAPESHIFT\r\nNames SHAPESHIFT\r\nCategory Malware\r\nType Wiper\r\nDescription\r\n(FireEye) The SHAPESHIFT malware is capable of wiping disks, erasing volumes and\r\ndeleting files, depending on its configuration.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool SHAPESHIFT\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 33, Elfin, Magnallium 2013-Apr 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9a945f93-c6f1-4cf8-8843-2f8fa696f659\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9a945f93-c6f1-4cf8-8843-2f8fa696f659\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9a945f93-c6f1-4cf8-8843-2f8fa696f659"
	],
	"report_names": [
		"listgroups.cgi?u=9a945f93-c6f1-4cf8-8843-2f8fa696f659"
	],
	"threat_actors": [
		{
			"id": "a63c994f-d7d6-4850-a881-730635798b90",
			"created_at": "2025-08-07T02:03:24.788883Z",
			"updated_at": "2026-04-10T02:00:03.785146Z",
			"deleted_at": null,
			"main_name": "COBALT TRINITY",
			"aliases": [
				"APT33 ",
				"Elfin ",
				"HOLMIUM ",
				"MAGNALIUM ",
				"Peach Sandstorm ",
				"Refined Kitten ",
				"TA451 "
			],
			"source_name": "Secureworks:COBALT TRINITY",
			"tools": [
				"AutoCore",
				"Cadlotcorg",
				"Dello RAT",
				"FalseFont",
				"Imminent Monitor",
				"KDALogger",
				"Koadic",
				"NanoCore",
				"NetWire",
				"POWERTON",
				"PoshC2",
				"Poylog",
				"PupyRAT",
				"Schoolbag"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e5ff825b-0456-4013-b90a-971b93def74a",
			"created_at": "2022-10-25T15:50:23.824058Z",
			"updated_at": "2026-04-10T02:00:05.377261Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"APT33",
				"HOLMIUM",
				"Elfin",
				"Peach Sandstorm"
			],
			"source_name": "MITRE:APT33",
			"tools": [
				"PowerSploit",
				"AutoIt backdoor",
				"PoshC2",
				"Mimikatz",
				"NanoCore",
				"DEADWOOD",
				"StoneDrill",
				"POWERTON",
				"LaZagne",
				"TURNEDUP",
				"NETWIRE",
				"Pupy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f",
			"created_at": "2023-01-06T13:46:38.367369Z",
			"updated_at": "2026-04-10T02:00:02.945356Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"Elfin",
				"MAGNALLIUM",
				"HOLMIUM",
				"COBALT TRINITY",
				"G0064",
				"ATK35",
				"Peach Sandstorm",
				"TA451",
				"APT 33",
				"Refined Kitten"
			],
			"source_name": "MISPGALAXY:APT33",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b938e2e3-3d1b-4b35-a031-ddf25b912557",
			"created_at": "2022-10-25T16:07:23.35582Z",
			"updated_at": "2026-04-10T02:00:04.55531Z",
			"deleted_at": null,
			"main_name": "APT 33",
			"aliases": [
				"APT 33",
				"ATK 35",
				"Cobalt Trinity",
				"Curious Serpens",
				"Elfin",
				"G0064",
				"Holmium",
				"Magnallium",
				"Peach Sandstorm",
				"Refined Kitten",
				"TA451",
				"Yellow Orc"
			],
			"source_name": "ETDA:APT 33",
			"tools": [
				"Atros2.CKPN",
				"AutoIt backdoor",
				"Breut",
				"CinaRAT",
				"DROPSHOT",
				"DarkComet",
				"DarkKomet",
				"DistTrack",
				"EmPyre",
				"EmpireProject",
				"FYNLOS",
				"FalseFont",
				"Filerase",
				"Fynloski",
				"JuicyPotato",
				"Krademok",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Mimikatz",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Notestuk",
				"POWERTON",
				"PoshC2",
				"PowerBand",
				"PowerShell Empire",
				"PowerSploit",
				"PsList",
				"Pupy",
				"PupyRAT",
				"Quasar RAT",
				"QuasarRAT",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"SHAPESHIFT",
				"Shamoon",
				"Socmer",
				"StoneDrill",
				"TURNEDUP",
				"Tickler",
				"Yggdrasil",
				"Zurten",
				"klovbot",
				"pupy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446609,
	"ts_updated_at": 1775792042,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/182f048515c7bf8aac7dd677dbf5caaeac166a13.pdf",
		"text": "https://archive.orkl.eu/182f048515c7bf8aac7dd677dbf5caaeac166a13.txt",
		"img": "https://archive.orkl.eu/182f048515c7bf8aac7dd677dbf5caaeac166a13.jpg"
	}
}