{
	"id": "2ecfab24-ed30-4168-a8f9-7974b4c24417",
	"created_at": "2026-04-06T00:21:54.85937Z",
	"updated_at": "2026-04-10T13:12:46.919725Z",
	"deleted_at": null,
	"sha1_hash": "4cdd79bd602f338d9da0121adafdc0d3b009e338",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46073,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:11:53 UTC\n APT group: Slingshot\nNames Slingshot (Kaspersky)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2012\nDescription\n(Kaspersky) While nalyzing an incident which involved a suspected keylogger, we identified a\nmalicious library able to interact with a virtual file system, which is usually the sign of an\nadvanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’,\npart of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in\ncomplexity.\nWhile for most victims the infection vector for Slingshot remains unknown, we were able to\nfind several cases where the attackers got access to MikroTik routers and placed a component\ndownloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this\ninfected the administrator of the router.\nWe believe this cluster of activity started in at least 2012 and was still active at the time of this\nanalysis (February 2018).\nObserved\nCountries: Afghanistan, Congo, Iraq, Jordan, Kenya, Libya, Somalia, Sudan, Tanzania, Turkey,\nYemen.\nTools used\nCahnadr, GollumApp, Slingshot and WinBox (a utility used for MikroTik router\nconfiguration).\nInformation Last change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9161f856-9d42-4442-84ab-d0332cfbe8a4\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9161f856-9d42-4442-84ab-d0332cfbe8a4\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9161f856-9d42-4442-84ab-d0332cfbe8a4"
	],
	"report_names": [
		"showcard.cgi?u=9161f856-9d42-4442-84ab-d0332cfbe8a4"
	],
	"threat_actors": [
		{
			"id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde",
			"created_at": "2023-01-06T13:46:38.472883Z",
			"updated_at": "2026-04-10T02:00:02.989134Z",
			"deleted_at": null,
			"main_name": "ProjectSauron",
			"aliases": [
				"Sauron",
				"Project Sauron",
				"G0041"
			],
			"source_name": "MISPGALAXY:ProjectSauron",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3",
			"created_at": "2023-01-06T13:46:38.995743Z",
			"updated_at": "2026-04-10T02:00:03.175285Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "MISPGALAXY:Slingshot",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2",
			"created_at": "2022-10-25T16:07:24.198891Z",
			"updated_at": "2026-04-10T02:00:04.897342Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "ETDA:Slingshot",
			"tools": [
				"Cahnadr",
				"GollumApp",
				"NDriver"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434914,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4cdd79bd602f338d9da0121adafdc0d3b009e338.pdf",
		"text": "https://archive.orkl.eu/4cdd79bd602f338d9da0121adafdc0d3b009e338.txt",
		"img": "https://archive.orkl.eu/4cdd79bd602f338d9da0121adafdc0d3b009e338.jpg"
	}
}