{ "id": "5ea2f618-4c2e-4716-ac0c-34ba6d111a77", "created_at": "2026-04-06T00:14:48.186427Z", "updated_at": "2026-04-10T03:35:37.637734Z", "deleted_at": null, "sha1_hash": "4aa0e3c9048b4a736619cf4375855100f2778949", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47660, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:36:31 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GraphSteel\n Tool: GraphSteel\nNames\nGraphSteel\nElephant Client\nCategory Malware\nType Reconnaissance, Backdoor, Credential stealer\nDescription\n(SOC Investigation) GraphSteel features:\n• Gather hostname, username, and IP address information\n• Execute commands\n• Steal account credentials\n• Use WebSocket and GraphQL to communicate with C2 using AES and base64 encryption\nInformation\nMalpedia Last change to this tool card: 27 December 2022\nDownload this tool card in JSON format\nAll groups using tool GraphSteel\nChanged Name Country Observed\nAPT groups\n SaintBear, Lorec53 2021-Oct 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a332e2dd-65f4-46e9-8138-de9ae3ed7e50\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a332e2dd-65f4-46e9-8138-de9ae3ed7e50\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a332e2dd-65f4-46e9-8138-de9ae3ed7e50\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a332e2dd-65f4-46e9-8138-de9ae3ed7e50" ], "report_names": [ "listgroups.cgi?u=a332e2dd-65f4-46e9-8138-de9ae3ed7e50" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434488, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4aa0e3c9048b4a736619cf4375855100f2778949.pdf", "text": "https://archive.orkl.eu/4aa0e3c9048b4a736619cf4375855100f2778949.txt", "img": "https://archive.orkl.eu/4aa0e3c9048b4a736619cf4375855100f2778949.jpg" } }