{ "id": "535fb7e6-e604-44b3-b08a-26be83460a4d", "created_at": "2026-04-06T01:30:31.139426Z", "updated_at": "2026-04-10T03:36:27.479778Z", "deleted_at": null, "sha1_hash": "2934135baa137ea605229f4e1b1f0f8ea3d36597", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45853, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:18:08 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Inception\r\n Tool: Inception\r\nNames Inception\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Symantec) Word documents attached to Inception’s spear-phishing emails leveraged two\r\nMicrosoft Office vulnerabilities (CVE-2014-1761 and CVE-2012-0158) to install malware on\r\nthe recipient’s computer. The malware had a multi-staged structure that began with a malicious\r\nRTF document and ended with an in-memory DLL payload that communicated, via the\r\nWebDAV protocol, with a command and control (C\u0026C) address from a legitimate cloud\r\nservice provider (CloudMe.com). The name “Inception” comes from the group’s many levels\r\nof obfuscation and indirection it employed in delivering this payload.\r\nInformation\r\n\u003chttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Inception\r\nChanged Name Country Observed\r\nAPT groups\r\n  Inception Framework, Cloud Atlas 2012-2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=639ea4a1-7345-4e52-88b8-cc1cdb73ef2b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=639ea4a1-7345-4e52-88b8-cc1cdb73ef2b\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=639ea4a1-7345-4e52-88b8-cc1cdb73ef2b" ], "report_names": [ "listgroups.cgi?u=639ea4a1-7345-4e52-88b8-cc1cdb73ef2b" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439031, "ts_updated_at": 1775792187, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2934135baa137ea605229f4e1b1f0f8ea3d36597.pdf", "text": "https://archive.orkl.eu/2934135baa137ea605229f4e1b1f0f8ea3d36597.txt", "img": "https://archive.orkl.eu/2934135baa137ea605229f4e1b1f0f8ea3d36597.jpg" } }