{ "id": "67df1c22-ea74-4272-a9bf-ab6e59a8d6bb", "created_at": "2026-04-06T00:12:53.203085Z", "updated_at": "2026-04-10T03:35:21.391623Z", "deleted_at": null, "sha1_hash": "2370dd96f7004b635f1391f6c60d94a7c0d6348b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50158, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:49:35 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SysJoker\n Tool: SysJoker\nNames SysJoker\nCategory Malware\nType Backdoor\nDescription\n(Intezer) In December 2021, we discovered a new multi-platform backdoor that targets\nWindows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. We\nnamed this backdoor SysJoker.\nSysJoker was first discovered during an active attack on a Linux-based web server of a leading\neducational institution. After further investigation, we found that SysJoker also has Mach-O\nand Windows PE versions. Based on Command and Control (C2) domain registration and\nsamples found in VirusTotal, we estimate that the SysJoker attack was initiated during the\nsecond half of 2021.\nSysJoker masquerades as a system update and generates its C2 by decoding a string retrieved\nfrom a text file hosted on Google Drive. During our analysis the C2 changed three times,\nindicating the attacker is active and monitoring for infected machines. Based on victimology\nand malware’s behavior, we assess that SysJoker is after specific targets.\nInformation\nMalpedia\nLast change to this tool card: 30 November 2023\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7f9085f8-5b43-4620-aec8-6cc4cd7eb108\nPage 1 of 2\n\nAll groups using tool SysJoker\r\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Electric Powder [Unknown] 2016  \r\n  WildCard [Unknown] 2021  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7f9085f8-5b43-4620-aec8-6cc4cd7eb108\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7f9085f8-5b43-4620-aec8-6cc4cd7eb108\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7f9085f8-5b43-4620-aec8-6cc4cd7eb108" ], "report_names": [ "listgroups.cgi?u=7f9085f8-5b43-4620-aec8-6cc4cd7eb108" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "cd402658-d63c-40bc-b6ce-bb3d742904c5", "created_at": "2023-12-01T02:02:33.960041Z", "updated_at": "2026-04-10T02:00:04.804676Z", "deleted_at": null, "main_name": "Operation Electric Powder", "aliases": [], "source_name": "ETDA:Operation Electric Powder", "tools": [ "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434373, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2370dd96f7004b635f1391f6c60d94a7c0d6348b.pdf", "text": "https://archive.orkl.eu/2370dd96f7004b635f1391f6c60d94a7c0d6348b.txt", "img": "https://archive.orkl.eu/2370dd96f7004b635f1391f6c60d94a7c0d6348b.jpg" } }