{ "id": "02dac88c-2a92-4baa-bf08-e708bf036d7f", "created_at": "2026-04-06T00:08:19.941203Z", "updated_at": "2026-04-10T13:11:31.989455Z", "deleted_at": null, "sha1_hash": "47cf91b45e01415b8b498f8e0077757d40e91808", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54568, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:31:40 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool KOMPROGO\n Tool: KOMPROGO\nNames\nKOMPROGO\nSplinter RAT\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Downloader\nDescription\n(Cylance) Splinter arrives as an MSBuild project file containing a Base64 encoded\nPowerShell script generated using the MSFvenom psh-reflection module. As in the case\nof Remy, it utilizes on-the-fly C# compilation and strips off several PowerShell\nwrappers before the shellcode that calls the final payload is invoked. The backdoor itself\nis a Win32 PE EXE file and has the capability to collect information, download and\nexecute payloads, run WMI queries, and manipulate files, processes, and registry\nentries. The overall functionality of Splinter appears pretty much in line with the\n“KOMPROGO” malware (as described in the FireEye APT32 report).\nInformation\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool KOMPROGO\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=27f94f7d-9871-458b-aac3-7d48efce7047\nPage 1 of 2\n\nAPT 32, OceanLotus, SeaLotus 2013-Aug 2024\r\n  FIN10 [Unknown] 2016  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=27f94f7d-9871-458b-aac3-7d48efce7047\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=27f94f7d-9871-458b-aac3-7d48efce7047\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=27f94f7d-9871-458b-aac3-7d48efce7047" ], "report_names": [ "listgroups.cgi?u=27f94f7d-9871-458b-aac3-7d48efce7047" ], "threat_actors": [ { "id": "9e3a488e-d304-4431-92e0-c8b9c80542bf", "created_at": "2022-10-25T16:07:23.627198Z", "updated_at": "2026-04-10T02:00:04.693727Z", "deleted_at": null, "main_name": "FIN10", "aliases": [ "G0051" ], "source_name": "ETDA:FIN10", "tools": [ "EmPyre", "EmpireProject", "KOMPROGO", "PowerShell Empire", "Splinter RAT" ], "source_id": "ETDA", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d134593b-1325-47ab-9bb7-b47d6473e352", "created_at": "2022-10-25T15:50:23.827908Z", "updated_at": "2026-04-10T02:00:05.335173Z", "deleted_at": null, "main_name": "FIN10", "aliases": [ "FIN10" ], "source_name": "MITRE:FIN10", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "277b5119-e193-4f98-b18a-c6db644f32f3", "created_at": "2023-01-06T13:46:38.971767Z", "updated_at": "2026-04-10T02:00:03.167584Z", "deleted_at": null, "main_name": "FIN10", "aliases": [ "G0051" ], "source_name": "MISPGALAXY:FIN10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434099, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47cf91b45e01415b8b498f8e0077757d40e91808.pdf", "text": "https://archive.orkl.eu/47cf91b45e01415b8b498f8e0077757d40e91808.txt", "img": "https://archive.orkl.eu/47cf91b45e01415b8b498f8e0077757d40e91808.jpg" } }