{
	"id": "971fc596-ad7a-4269-9f5c-2e38dd4a698a",
	"created_at": "2026-04-06T00:10:36.821726Z",
	"updated_at": "2026-04-10T03:29:57.930473Z",
	"deleted_at": null,
	"sha1_hash": "4a129820c25b4ff145a2a1e54f693196b29a1573",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53465,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:24:38 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Karba\r\n Tool: Karba\r\nNames\r\nKarba\r\nTrojan.Win32.Karba.e\r\nCategory Malware\r\nType Reconnaissance, Backdoor\r\nDescription\r\n(Kaspersky) This malware is 220Kb in size. It was built as MFC framework application with a\r\nlot of extra calls that should have complicated the analysis of the sample. It mimics a GUI\r\ndesktop application but it does not create any visible windows or dialogs to interact with local\r\nusers. The Trojan collects data about the system and anti-malware software installed on it, and\r\nuploads that data to Darkhotel command and control servers.\r\nInformation\r\n\u003chttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf\u003e\r\n\u003chttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070901/darkhotelappendixindicators_kl.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Karba\r\nChanged Name Country Observed\r\nAPT groups\r\n  DarkHotel 2007-2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9af4a581-6acd-4af5-b3ed-058a21fc90cd\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9af4a581-6acd-4af5-b3ed-058a21fc90cd\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9af4a581-6acd-4af5-b3ed-058a21fc90cd"
	],
	"report_names": [
		"listgroups.cgi?u=9af4a581-6acd-4af5-b3ed-058a21fc90cd"
	],
	"threat_actors": [
		{
			"id": "1dadf04e-d725-426f-9f6c-08c5be7da159",
			"created_at": "2022-10-25T15:50:23.624538Z",
			"updated_at": "2026-04-10T02:00:05.286895Z",
			"deleted_at": null,
			"main_name": "Darkhotel",
			"aliases": [
				"Darkhotel",
				"DUBNIUM",
				"Zigzag Hail"
			],
			"source_name": "MITRE:Darkhotel",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b13c19d6-247d-47ba-86ba-15a94accc179",
			"created_at": "2024-05-01T02:03:08.149923Z",
			"updated_at": "2026-04-10T02:00:03.763147Z",
			"deleted_at": null,
			"main_name": "TUNGSTEN BRIDGE",
			"aliases": [
				"APT-C-06 ",
				"ATK52 ",
				"CTG-1948 ",
				"DUBNIUM ",
				"DarkHotel ",
				"Fallout Team ",
				"Shadow Crane ",
				"Zigzag Hail "
			],
			"source_name": "Secureworks:TUNGSTEN BRIDGE",
			"tools": [
				"Nemim",
				"Tapaoux"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2b4eec94-7672-4bee-acb2-b857d0d26d12",
			"created_at": "2023-01-06T13:46:38.272109Z",
			"updated_at": "2026-04-10T02:00:02.906089Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"T-APT-02",
				"Nemim",
				"Nemin",
				"Shadow Crane",
				"G0012",
				"DUBNIUM",
				"Karba",
				"APT-C-06",
				"SIG25",
				"TUNGSTEN BRIDGE",
				"Zigzag Hail",
				"Fallout Team",
				"Luder",
				"Tapaoux",
				"ATK52"
			],
			"source_name": "MISPGALAXY:DarkHotel",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775791797,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a129820c25b4ff145a2a1e54f693196b29a1573.pdf",
		"text": "https://archive.orkl.eu/4a129820c25b4ff145a2a1e54f693196b29a1573.txt",
		"img": "https://archive.orkl.eu/4a129820c25b4ff145a2a1e54f693196b29a1573.jpg"
	}
}