{ "id": "18979d1e-9f06-4d1c-8e43-8cd6d7c089f0", "created_at": "2026-04-06T00:06:14.761027Z", "updated_at": "2026-04-10T13:12:56.826914Z", "deleted_at": null, "sha1_hash": "4b7378b875616b69b26f1824862f2bfb1f8b4590", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62053, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:14:41 UTC\r\n APT group: xHunt\r\nNames\r\nxHunt (Palo Alto)\r\nSectorD01 (ThreatRecon)\r\nHive0081 (IBM)\r\nCobalt Katana (SecureWorks)\r\nHunter Serpens (Palo Alto)\r\nCountry Iran\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(Palo Alto) Between May and June 2019, Unit 42 observed previously unknown\r\ntools used in the targeting of transportation and shipping organizations based in\r\nKuwait.\r\nThe first known attack in this campaign targeted a Kuwait transportation and\r\nshipping company in which the actors installed a backdoor tool named Hisoka.\r\nSeveral custom tools were later downloaded to the system in order to carry out post-exploitation activities. All of these tools appear to have been created by the same\r\ndeveloper. We were able to collect several variations of these tools including one\r\ndating back to July 2018.\r\nThe developer of the collected tools used character names from the anime series\r\nHunter x Hunter, which is the basis for the campaign name “xHunt.” The names of\r\nthe tools collected include backdoor tools Sakabota, Hisoka, Netero and Killua.\r\nThese tools not only use HTTP for their command and control (C2) channels, but\r\ncertain variants of these tools use DNS tunneling or emails to communicate with\r\ntheir C2 as well. While DNS tunneling as a C2 channel is fairly common, the\r\nspecific method in which this group used email to facilitate C2 communications has\r\nnot been observed by Unit 42 in quite some time. This method uses Exchange Web\r\nServices (EWS) and stolen credentials to create email “drafts” to communicate\r\nbetween the actor and the tool. In addition to the aforementioned backdoor tools, we\r\nalso observed tools referred to as Gon and EYE, which provide the backdoor access\r\nand the ability to carry out post-exploitation activities.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a8ec920-4dfd-4a06-81e7-7be8ee639b73\r\nPage 1 of 2\n\nObserved\nSectors: Shipping and Logistics.\nCountries: Kuwait.\nTools used\nBumbleBee, CASHY200, Gon, EYE, Hisoka, Killua, Netero, Sakabota, Snugy,\nTriFive.\nOperations performed\nMay 2018\nOn May 1 and June 3, 2018, we first saw executables that installed\nand executed CASHY200 PowerShell scripts\nAug 2019\nNewly Discovered Backdoors Using Deleted Email Drafts and DNS\nTunneling for Command and Control\nInformation\nPlaybook Last change to this card: 10 March 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a8ec920-4dfd-4a06-81e7-7be8ee639b73\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a8ec920-4dfd-4a06-81e7-7be8ee639b73\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a8ec920-4dfd-4a06-81e7-7be8ee639b73" ], "report_names": [ "showcard.cgi?u=3a8ec920-4dfd-4a06-81e7-7be8ee639b73" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e998eb-31c8-4281-be1d-1a5133330eb9", "created_at": "2023-01-06T13:46:39.14468Z", "updated_at": "2026-04-10T02:00:03.229233Z", "deleted_at": null, "main_name": "COBALT KATANA", "aliases": [ "Hive0081 (IBM)", "SectorD01 (NHSC)", "xHunt campaign (Palo Alto)", "Hunter Serpens" ], "source_name": "MISPGALAXY:COBALT KATANA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb", "created_at": "2022-10-25T16:07:24.432777Z", "updated_at": "2026-04-10T02:00:04.986077Z", "deleted_at": null, "main_name": "xHunt", "aliases": [ "Cobalt Katana", "Hive0081", "Hunter Serpens", "SectorD01" ], "source_name": "ETDA:xHunt", "tools": [ "CASHY200", "COLDTRAIN", "Gon", "Hisoka", "Killua", "Netero", "SHELLSTING", "Sakabota", "Snugy", "TriFive" ], "source_id": "ETDA", "reports": null }, { "id": "c5a103eb-08af-410b-b11d-3635f4d4a3eb", "created_at": "2025-08-07T02:03:24.756187Z", "updated_at": "2026-04-10T02:00:03.667108Z", "deleted_at": null, "main_name": "COBALT KATANA", "aliases": [ "Hive0081 ", "SectorD01 ", "xHunt campaign " ], "source_name": "Secureworks:COBALT KATANA", "tools": [ "CASHY200", "Diezen", "Eye", "Gon", "Hisoka", "Hisoka Netero", "HyphenShell", "Killua", "Sakabota", "Sakabota Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433974, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b7378b875616b69b26f1824862f2bfb1f8b4590.pdf", "text": "https://archive.orkl.eu/4b7378b875616b69b26f1824862f2bfb1f8b4590.txt", "img": "https://archive.orkl.eu/4b7378b875616b69b26f1824862f2bfb1f8b4590.jpg" } }