{
	"id": "910f34b9-9251-4e34-b24e-843ec87604f9",
	"created_at": "2026-04-06T00:19:34.261408Z",
	"updated_at": "2026-04-10T03:29:45.39787Z",
	"deleted_at": null,
	"sha1_hash": "189846d43512bb703ab258bc3efd509439212758",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62320,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:22:43 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Flame\n Tool: Flame\nNames\nFlame\nFlamer\nsKyWIper\nSkywiper\nCategory Malware\nType Backdoor, Rootkit, Keylogger, Info stealer, Exfiltration\nDescription\n(Wikipedia) Flame, also known as Flamer, sKyWIper, and Skywiper, is modular\ncomputer malware discovered in 2012 that attacks computers running the Microsoft\nWindows operating system. The program is being used for targeted cyber espionage in\nMiddle Eastern countries.\nIts discovery was announced on 28 May 2012 by MAHER Center of Iranian National\nComputer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the\nBudapest University of Technology and Economics. The last of these stated in its report\nthat Flame 'is certainly the most sophisticated malware we encountered during our\npractice; arguably, it is the most complex malware ever found.' Flame can spread to\nother systems over a local network (LAN). It can record audio, screenshots, keyboard\nactivity and network traffic. The program also records Skype conversations and can turn\ninfected computers into Bluetooth beacons which attempt to download contact\ninformation from nearby Bluetooth-enabled devices. This data, along with locally stored\ndocuments, is sent on to one of several command and control servers that are scattered\naround the world. The program then awaits further instructions from these servers.\nInformation\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2db51e8-30f4-4e61-a5df-c51fee52e2b4\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Flame\nChanged Name Country Observed\nAPT groups\n Equation Group 2001-Aug 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2db51e8-30f4-4e61-a5df-c51fee52e2b4\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2db51e8-30f4-4e61-a5df-c51fee52e2b4\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2db51e8-30f4-4e61-a5df-c51fee52e2b4"
	],
	"report_names": [
		"listgroups.cgi?u=f2db51e8-30f4-4e61-a5df-c51fee52e2b4"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434774,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/189846d43512bb703ab258bc3efd509439212758.pdf",
		"text": "https://archive.orkl.eu/189846d43512bb703ab258bc3efd509439212758.txt",
		"img": "https://archive.orkl.eu/189846d43512bb703ab258bc3efd509439212758.jpg"
	}
}