{ "id": "7c91e45f-b8b9-4419-833b-f87925a52366", "created_at": "2026-04-06T00:15:06.917668Z", "updated_at": "2026-04-10T13:12:35.443055Z", "deleted_at": null, "sha1_hash": "2f203432216fb7236122f06fa71410ccead03186", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54933, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:19:16 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SafetyKatz\r\n Tool: SafetyKatz\r\nNames SafetyKatz\r\nCategory Tools\r\nType Credential stealer\r\nDescription\r\nSafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project\r\nand @subtee's .NET PE Loader.\r\nInformation \u003chttps://github.com/GhostPack/SafetyKatz\u003e\r\nLast change to this tool card: 02 November 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool SafetyKatz\r\nChanged Name Country Observed\r\nAPT groups\r\n  Chafer, APT 39 2014-Sep 2020\r\n  MalKamak 2018  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d44dcfd7-93d4-4a9c-a68d-c37844d59d4d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d44dcfd7-93d4-4a9c-a68d-c37844d59d4d\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d44dcfd7-93d4-4a9c-a68d-c37844d59d4d" ], "report_names": [ "listgroups.cgi?u=d44dcfd7-93d4-4a9c-a68d-c37844d59d4d" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "8205484f-7cf2-4b43-b2de-c1a500ae310e", "created_at": "2022-10-25T16:07:23.861533Z", "updated_at": "2026-04-10T02:00:04.764666Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [ "Operation GhostShell" ], "source_name": "ETDA:MalKamak", "tools": [ "PAExec", "SafetyKatz", "ShellClient", "WinRAR" ], "source_id": "ETDA", "reports": null }, { "id": "7261dbea-1283-4a30-8da6-c30ccfc25024", "created_at": "2023-11-30T02:00:07.289432Z", "updated_at": "2026-04-10T02:00:03.481506Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [], "source_name": "MISPGALAXY:MalKamak", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f203432216fb7236122f06fa71410ccead03186.pdf", "text": "https://archive.orkl.eu/2f203432216fb7236122f06fa71410ccead03186.txt", "img": "https://archive.orkl.eu/2f203432216fb7236122f06fa71410ccead03186.jpg" } }