{ "id": "be768c6b-17aa-4467-b95f-5e2d319b6966", "created_at": "2026-04-06T00:12:18.370383Z", "updated_at": "2026-04-10T03:28:04.55079Z", "deleted_at": null, "sha1_hash": "1da504e3af0e0440765aa1bf20bf015c9c7428f2", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57688, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:34:44 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MechaFlounder\n Tool: MechaFlounder\nNames MechaFlounder\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) MechaFlounder begins by entering a loop that will continuously attempt to\ncommunicate with its C2 server. The Trojan will use HTTP to send an outbound beacon\nto its C2 server that contains the user’s account name and hostname in the URL. The\ncode builds the URL by concatenating the username and hostname with two dashes “–”\nbetween the two strings. The code then creates the URL string by using the username\nand hostname string twice with the back-slash “\\” character between the two and by\nappending the string “-sample.html”.\nInformation\nMITRE ATT\u0026CK AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool MechaFlounder\nChanged Name Country Observed\nAPT groups\n Chafer, APT 39 2014-Sep 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=662241e8-4952-4cfc-8d1f-e96dc38593e5\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=662241e8-4952-4cfc-8d1f-e96dc38593e5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=662241e8-4952-4cfc-8d1f-e96dc38593e5\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=662241e8-4952-4cfc-8d1f-e96dc38593e5" ], "report_names": [ "listgroups.cgi?u=662241e8-4952-4cfc-8d1f-e96dc38593e5" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434338, "ts_updated_at": 1775791684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1da504e3af0e0440765aa1bf20bf015c9c7428f2.pdf", "text": "https://archive.orkl.eu/1da504e3af0e0440765aa1bf20bf015c9c7428f2.txt", "img": "https://archive.orkl.eu/1da504e3af0e0440765aa1bf20bf015c9c7428f2.jpg" } }