{
	"id": "b0af937b-786a-4402-9da0-cce7cda9bf45",
	"created_at": "2026-04-06T00:16:48.774624Z",
	"updated_at": "2026-04-10T13:11:53.371778Z",
	"deleted_at": null,
	"sha1_hash": "4fa6ecaf4d9332906af838903102ea396097064b",
	"title": "Cobalt Strike - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30241,
	"plain_text": "Cobalt Strike - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:41:54 UTC\r\nDescriptionCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named\r\n'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not\r\nlimited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port\r\nscanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage\r\nshellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself\r\ninto the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS,\r\nSMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a\r\ntoolkit for developing shellcode loaders, called Artifact Kit.\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable,\r\nand highly customizable.\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7ea8d070-cfd7-473c-a615-437fc292af55\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7ea8d070-cfd7-473c-a615-437fc292af55\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7ea8d070-cfd7-473c-a615-437fc292af55"
	],
	"report_names": [
		"listgroups.cgi?u=7ea8d070-cfd7-473c-a615-437fc292af55"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434608,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4fa6ecaf4d9332906af838903102ea396097064b.pdf",
		"text": "https://archive.orkl.eu/4fa6ecaf4d9332906af838903102ea396097064b.txt",
		"img": "https://archive.orkl.eu/4fa6ecaf4d9332906af838903102ea396097064b.jpg"
	}
}