{ "id": "3a558d7b-eb66-48fc-9edd-013cbefafa07", "created_at": "2026-04-06T00:11:49.314193Z", "updated_at": "2026-04-10T03:37:17.449723Z", "deleted_at": null, "sha1_hash": "4944d362537ea0db4e36a96b846a0c53ebc28abe", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48387, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:31:40 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool updater.mod\n Tool: updater.mod\nNames updater.mod\nCategory Malware\nType Backdoor, Exfiltration, Downloader\nDescription\n(Kaspersky) This module is implemented as a dynamic-link library with only one exported\nfunction, called callme@16. This module is responsible for such tasks as providing\ncommunication with the C2 server, providing the malware integrity and persistence\nmechanism and managing other malware modules.\nThe persistence mechanism is provided by a link file, which is placed by updater.mod into the\nstartup folder, ensuring malware execution after a reboot. If the link file becomes corrupted,\nthe updater.mod module restores it.\nIn this campaign the C2 servers were mostly based on cloud storage at mydrive.ch. For every\nvictim, the operators created a new account there and uploaded additional malware modules\nand a configuration file with commands to execute it. Once executed, the updater.mod module\nconnected to the C2 and performed the following actions:\n• downloaded the command file to the working directory;\n• uploaded files collected and prepared by additional malicious modules (if any) to the C2.\nThese files were located in a directory called ‘queue’ or ‘ntfsrecover’ in the working directory.\nFiles in this directory could have one of two extensions: .d or .upd depending on whether they\nhad already been uploaded to the server or not.\n• downloaded additional malware modules:\no dfrgntfs5.sqt – a module for executing commands from the C2;\no msvcrt58.sqt – a module for stealing mail credentials and emails;\no zl4vq.sqt – legitimate zlib library used by dfrgntfs5;\no %victim_ID%.upe – optional plug-in for dfrgntfs5. Unfortunately, we were unable to obtain\nthis file.\nInformation Last change to this tool card: 20 April 2020\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e268f978-6c07-4c3f-85d8-23749fcba4ce\nPage 1 of 2\n\nDownload this tool card in JSON format\r\nAll groups using tool updater.mod\r\nChanged Name Country Observed\r\nAPT groups\r\n  DarkUniverse [Unknown] 2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e268f978-6c07-4c3f-85d8-23749fcba4ce\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e268f978-6c07-4c3f-85d8-23749fcba4ce\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e268f978-6c07-4c3f-85d8-23749fcba4ce" ], "report_names": [ "listgroups.cgi?u=e268f978-6c07-4c3f-85d8-23749fcba4ce" ], "threat_actors": [ { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59ce37c7-ce10-4cc3-ab27-c784a8a0898a", "created_at": "2022-10-25T16:07:23.534403Z", "updated_at": "2026-04-10T02:00:04.645423Z", "deleted_at": null, "main_name": "DarkUniverse", "aliases": [], "source_name": "ETDA:DarkUniverse", "tools": [ "dfrgntfs5.sqt", "glue30.dll", "msvcrt58.sqt", "updater.mod", "zl4vq.sqt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434309, "ts_updated_at": 1775792237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4944d362537ea0db4e36a96b846a0c53ebc28abe.pdf", "text": "https://archive.orkl.eu/4944d362537ea0db4e36a96b846a0c53ebc28abe.txt", "img": "https://archive.orkl.eu/4944d362537ea0db4e36a96b846a0c53ebc28abe.jpg" } }