{
	"id": "c26206bb-fab2-43b3-895b-4f5909f49922",
	"created_at": "2026-04-06T00:17:09.454605Z",
	"updated_at": "2026-04-10T13:12:32.827585Z",
	"deleted_at": null,
	"sha1_hash": "3deb9ae5e7ca162047dee93afa613b8bd3568cd5",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57014,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:22:52 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GROK\n Tool: GROK\nNames GROK\nCategory Malware\nType Keylogger\nDescription\nIt is the case of a very sophisticated keylogger used by the Equation Group called “Grok”,\nwhich was also mentioned in one of the documents leaked by Edward Snowden. Grok is\nconsidered a keylogging component of the UNITEDRAKE malware, which experts linked to\nRegin malware.\n“The codename GROK appears in several documents published by Der Spiegel, where ‘a\nkeylogger’ is mentioned. Our analysis indicates EQUATIONGROUP’s GROK plugin is\nindeed a keylogger on steroids that can perform many other functions,” reads the report.\n“Grok” is referred to for the first time in a post published by The Intercept titled, “How the\nNSA Plans to Infect ‘Millions’ of Computers with Malware.” The article introduces an NSA-developed keylogger called Grok.\nInformation\nMalpedia Last change to this tool card: 23 April 2020\nDownload this tool card in JSON format\nAll groups using tool GROK\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5135e7d5-5c40-4e5a-b580-f8610ad7852b\nPage 1 of 2\n\nEquation Group 2001-Aug 2016\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5135e7d5-5c40-4e5a-b580-f8610ad7852b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5135e7d5-5c40-4e5a-b580-f8610ad7852b\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5135e7d5-5c40-4e5a-b580-f8610ad7852b"
	],
	"report_names": [
		"listgroups.cgi?u=5135e7d5-5c40-4e5a-b580-f8610ad7852b"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434629,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3deb9ae5e7ca162047dee93afa613b8bd3568cd5.pdf",
		"text": "https://archive.orkl.eu/3deb9ae5e7ca162047dee93afa613b8bd3568cd5.txt",
		"img": "https://archive.orkl.eu/3deb9ae5e7ca162047dee93afa613b8bd3568cd5.jpg"
	}
}