{ "id": "df9c16d5-0a5a-45ac-8241-e56f0102d636", "created_at": "2026-04-06T00:10:23.62755Z", "updated_at": "2026-04-10T03:31:48.798129Z", "deleted_at": null, "sha1_hash": "1a385df51701566b2f71c4ea2e66c37e86eec62d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54435, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:42:44 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PyDCrypt\n Tool: PyDCrypt\nNames PyDCrypt\nCategory Malware\nType Remote command, Loader\nDescription\n(Check Point) The main goals of PyDCrypt are to infect other computers and to make\nsure the main payload, DCSrv, is executed properly. The executable is written in Python\nand compiled with PyInstaller with encryption, using the --key flag during the build\nphase. As we mentioned previously, the attackers build a new sample for each infected\norganization, and hardcode the parameters collected from the victim’s environment.\nInformation MITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool PyDCrypt\nChanged Name Country Observed\nOther groups\n Moses Staff 2021-Nov 2022\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d7303ed-87b7-4c75-89e0-80cbce684a85\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d7303ed-87b7-4c75-89e0-80cbce684a85\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6d7303ed-87b7-4c75-89e0-80cbce684a85" ], "report_names": [ "listgroups.cgi?u=6d7303ed-87b7-4c75-89e0-80cbce684a85" ], "threat_actors": [ { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434223, "ts_updated_at": 1775791908, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a385df51701566b2f71c4ea2e66c37e86eec62d.pdf", "text": "https://archive.orkl.eu/1a385df51701566b2f71c4ea2e66c37e86eec62d.txt", "img": "https://archive.orkl.eu/1a385df51701566b2f71c4ea2e66c37e86eec62d.jpg" } }