{ "id": "cd4b522f-2364-43bf-b73a-e6a29f52270a", "created_at": "2026-04-06T00:10:48.139322Z", "updated_at": "2026-04-10T03:35:29.11773Z", "deleted_at": null, "sha1_hash": "25215b6d30f225b39814b3dd0472964bd5b3e7fe", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44041, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:43:03 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Kikothac\r\n Tool: Kikothac\r\nNames Kikothac\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Group-IB) During the first operations the cybercriminals used a third-party patched backdoor\r\nKikothac without access to its source code. They chose a Trojan, which had been known since\r\nNovember 2015, and did not require a lot of time for reverse engineering and back end\r\nimplementation.\r\nThe usage of this disassembled backdoor indicates that the group started without preparation\r\nand the first operation was a mere attempt to test their capabilities.\r\nInformation \u003chttps://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Kikothac\r\nChanged Name Country Observed\r\nAPT groups\r\n  Silence, Contract Crew [Unknown] 2016-Aug 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ac6315b8-395b-4337-935c-feaad4b4dbab\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ac6315b8-395b-4337-935c-feaad4b4dbab\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ac6315b8-395b-4337-935c-feaad4b4dbab" ], "report_names": [ "listgroups.cgi?u=ac6315b8-395b-4337-935c-feaad4b4dbab" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434248, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25215b6d30f225b39814b3dd0472964bd5b3e7fe.pdf", "text": "https://archive.orkl.eu/25215b6d30f225b39814b3dd0472964bd5b3e7fe.txt", "img": "https://archive.orkl.eu/25215b6d30f225b39814b3dd0472964bd5b3e7fe.jpg" } }