{ "id": "7bf7a8b3-e0d7-4779-a013-9e57db893c02", "created_at": "2026-04-06T00:16:41.197286Z", "updated_at": "2026-04-10T03:31:42.922742Z", "deleted_at": null, "sha1_hash": "460395a5ad35eba045e557a90422340f31be8510", "title": "Hatef Wiper - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45634, "plain_text": "Hatef Wiper - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:04:44 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Hatef Wiper\n Tool: Hatef Wiper\nNames Hatef Wiper\nCategory Malware\nType Wiper\nDescription\n(Intezer) The malware wipes key system paths across all connected drives, focusing on\ndirectories within “Users,” “Program Files,” “Program Files (x86),” and “Windows,”\nemploying the ProcessDirectory method to enumerate all files within these paths recursively.\nOnce files are deleted, and directories are left empty, it uses an incorrectly spelled method,\nDeleteDrirectorys, to remove these now-obsolete directories.\nDuring its operation, the wiper sends periodic updates to a predetermined Telegram chat, likely\nto inform its controllers about the ongoing progress or notify them when the task is completed.\nThe dispatched information comprises the external IP address of the infected computer, the\nhostname, a timestamp, and a count of “Undeleted files” within critical file system locations\nsuch as the Windows directory and Program Files directories. This count is formatted to show\nthe number of files that the malware has not managed to delete up to that point. This\ncommunication strategy serves as a means of real-time reporting on malicious activities,\noffering the attackers updates and insights into the efficacy of their attack.\nInformation Last change to this tool card: 16 January 2024\nDownload this tool card in JSON format\nAll groups using tool Hatef Wiper\nChanged Name Country Observed\nOther groups\n Handala Hack Team [Unknown] 2023-Dec 2023\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d582c66b-480c-41d3-9211-20a615163a5b\nPage 1 of 2\n\n1 group listed (0 APT, 1 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d582c66b-480c-41d3-9211-20a615163a5b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d582c66b-480c-41d3-9211-20a615163a5b\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d582c66b-480c-41d3-9211-20a615163a5b" ], "report_names": [ "listgroups.cgi?u=d582c66b-480c-41d3-9211-20a615163a5b" ], "threat_actors": [ { "id": "d0fef355-9eb9-4adc-8d90-a8c7494c4a81", "created_at": "2024-01-18T02:02:34.735032Z", "updated_at": "2026-04-10T02:00:05.011663Z", "deleted_at": null, "main_name": "Handala Hack Team", "aliases": [ "Operation HamsaUpdate" ], "source_name": "ETDA:Handala Hack Team", "tools": [ "Hamsa Wiper", "Handala", "Hatef Wiper" ], "source_id": "ETDA", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434601, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/460395a5ad35eba045e557a90422340f31be8510.pdf", "text": "https://archive.orkl.eu/460395a5ad35eba045e557a90422340f31be8510.txt", "img": "https://archive.orkl.eu/460395a5ad35eba045e557a90422340f31be8510.jpg" } }