{
	"id": "dfa5d523-6796-4615-af69-3b398ee159f2",
	"created_at": "2026-04-06T00:11:26.354316Z",
	"updated_at": "2026-04-10T03:29:45.417909Z",
	"deleted_at": null,
	"sha1_hash": "5232a62f7e1619ace61cb803d985953c74936cbd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57221,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:29:04 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DoubleFeature\n Tool: DoubleFeature\nNames DoubleFeature\nCategory Malware\nType Reconnaissance\nDescription\n(Check Point) To better understand the above structure and flow, we focused our research on a\ncomponent of DanderSpritz named Doublefeature (or Df for short). According to its own\ninternal documentation, this plugin “Generates a log \u0026 report about the types of tools that\ncould be deployed on the target”; a lot of the framework tools, in their own internal\ndocumentation, make the chilling claim that DoubleFeature is the only way to confirm their\nexistence on a compromised system. After some pause, we figured that at least this means\nDoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz\nmodules, and systems compromised by them. DoubleFeature effectively, well, doubles as a\ndiagnostic tool for victim machines carrying DanderSpritz — It’s an incident response team’s\npipe dream.\nInformation\nLast change to this tool card: 25 January 2022\nDownload this tool card in JSON format\nAll groups using tool DoubleFeature\nChanged Name Country Observed\nAPT groups\n Equation Group 2001-Aug 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a3223c7e-a8ba-4776-922a-ffdf1f1ec4fe\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a3223c7e-a8ba-4776-922a-ffdf1f1ec4fe\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a3223c7e-a8ba-4776-922a-ffdf1f1ec4fe\r\nPage 2 of 2\n\nAPT groups Equation Group 2001-Aug 2016 \n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a3223c7e-a8ba-4776-922a-ffdf1f1ec4fe"
	],
	"report_names": [
		"listgroups.cgi?u=a3223c7e-a8ba-4776-922a-ffdf1f1ec4fe"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5232a62f7e1619ace61cb803d985953c74936cbd.pdf",
		"text": "https://archive.orkl.eu/5232a62f7e1619ace61cb803d985953c74936cbd.txt",
		"img": "https://archive.orkl.eu/5232a62f7e1619ace61cb803d985953c74936cbd.jpg"
	}
}