{ "id": "c70274ed-205b-4b20-8abd-a13b965fb5de", "created_at": "2026-04-06T00:15:32.294964Z", "updated_at": "2026-04-10T03:33:35.571551Z", "deleted_at": null, "sha1_hash": "41223a74eced043c438e791e829963456df24803", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53815, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:25:54 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GpUpdates.exe\r\n Tool: GpUpdates.exe\r\nNames GpUpdates.exe\r\nCategory Malware\r\nType Dropper\r\nDescription\r\n(Epic Turla) The droppers are misidentified as packed by Armadillo but in reality they’re built\r\nusing now defunct Chilkat software, ‘Zip2Secure’ to create self-extracting executables. The\r\npacking alone has led the droppers to be detected under generic AV detections but the\r\nsubcomponents have low-to-no detections at this time.\r\nThe Zip2Secure configuration entrusts the distribution of the files contained therein to\r\n‘Distribute.exe’, which places the files and silently registers the subcomponents with\r\nregsvr32.exe.\r\nInformation \u003chttps://www.epicturla.com/blog/the-lost-nazar\u003e\r\nLast change to this tool card: 24 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool GpUpdates.exe\r\nChanged Name Country Observed\r\nAPT groups\r\n  Nazar 2008  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2d1ee7a1-0d40-43c8-a24a-d1d903daaeb6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2d1ee7a1-0d40-43c8-a24a-d1d903daaeb6\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2d1ee7a1-0d40-43c8-a24a-d1d903daaeb6" ], "report_names": [ "listgroups.cgi?u=2d1ee7a1-0d40-43c8-a24a-d1d903daaeb6" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "bf773c52-830b-46e3-aa61-58c82eb323ee", "created_at": "2023-01-06T13:46:39.135077Z", "updated_at": "2026-04-10T02:00:03.226187Z", "deleted_at": null, "main_name": "Nazar", "aliases": [ "SIG37" ], "source_name": "MISPGALAXY:Nazar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f3b19931-3751-4ece-a235-15b397951dc2", "created_at": "2022-10-25T16:07:23.889537Z", "updated_at": "2026-04-10T02:00:04.780137Z", "deleted_at": null, "main_name": "Nazar", "aliases": [ "SIG37" ], "source_name": "ETDA:Nazar", "tools": [ "Distribute.exe", "EYService", "GpUpdates.exe", "Microolap Packet Sniffer", "TCPDUMP for Windows" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434532, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41223a74eced043c438e791e829963456df24803.pdf", "text": "https://archive.orkl.eu/41223a74eced043c438e791e829963456df24803.txt", "img": "https://archive.orkl.eu/41223a74eced043c438e791e829963456df24803.jpg" } }