{
	"id": "81b37af5-a51b-4037-899f-c098f04d495c",
	"created_at": "2026-04-06T00:13:24.363458Z",
	"updated_at": "2026-04-10T13:11:37.458986Z",
	"deleted_at": null,
	"sha1_hash": "3c2d082b03891d796fbdaae9059c8155965f03f8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54242,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:48:15 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Sakabota\n Tool: Sakabota\nNames Sakabota\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) We analyzed dozens of samples during this analysis, which resulted in the\nidentification of two separate campaigns — one in mid-to-late 2018 using Sakabota and the\nother in mid-2019 using Hisoka. Our analysis of the two campaigns revealed that Sakabota is\nthe predecessor to Hisoka, which was first observed in May 2019. By analyzing both Hisoka\nand Sakabota as well as the additional tools identified in the aforementioned activity, we have\ndetermined that Sakabota is likely the basis for the development of all the tools used in these\nattack campaigns.\nInformation\nLast change to this tool card: 29 April 2020\nDownload this tool card in JSON format\nAll groups using tool Sakabota\nChanged Name Country Observed\nAPT groups\n xHunt 2018-Aug 2019\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=760b0f65-38b4-4cf5-b907-e6d1a046001b\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=760b0f65-38b4-4cf5-b907-e6d1a046001b\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=760b0f65-38b4-4cf5-b907-e6d1a046001b"
	],
	"report_names": [
		"listgroups.cgi?u=760b0f65-38b4-4cf5-b907-e6d1a046001b"
	],
	"threat_actors": [
		{
			"id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb",
			"created_at": "2022-10-25T16:07:24.432777Z",
			"updated_at": "2026-04-10T02:00:04.986077Z",
			"deleted_at": null,
			"main_name": "xHunt",
			"aliases": [
				"Cobalt Katana",
				"Hive0081",
				"Hunter Serpens",
				"SectorD01"
			],
			"source_name": "ETDA:xHunt",
			"tools": [
				"CASHY200",
				"COLDTRAIN",
				"Gon",
				"Hisoka",
				"Killua",
				"Netero",
				"SHELLSTING",
				"Sakabota",
				"Snugy",
				"TriFive"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c2d082b03891d796fbdaae9059c8155965f03f8.pdf",
		"text": "https://archive.orkl.eu/3c2d082b03891d796fbdaae9059c8155965f03f8.txt",
		"img": "https://archive.orkl.eu/3c2d082b03891d796fbdaae9059c8155965f03f8.jpg"
	}
}