{ "id": "863dab09-2d11-4f33-a1e4-919e22c5e095", "created_at": "2026-04-06T00:21:44.135478Z", "updated_at": "2026-04-10T03:34:23.594384Z", "deleted_at": null, "sha1_hash": "5d0efb29b4bd5ddfbd8dc43d9fa4b1893755054d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43444, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:39:50 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ProduKey\r\n Tool: ProduKey\r\nNames ProduKey\r\nCategory Tools\r\nType Info stealer\r\nDescription\r\nProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft Office\r\n(Microsoft Office 2003, Microsoft Office 2007), Windows (Including Windows 8/7/Vista),\r\nExchange Server, and SQL Server installed on your computer. You can view this information\r\nfor your current running operating system, or for another operating system/computer - by\r\nusing command-line options. This utility can be useful if you lost the product key of your\r\nWindows/Office, and you want to reinstall it on your computer.\r\nInformation \u003chttps://www.nirsoft.net/utils/product_cd_key_viewer.html\u003e\r\nLast change to this tool card: 10 July 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool ProduKey\r\nChanged Name Country Observed\r\nAPT groups\r\n  Evilnum [Unknown] 2018-2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b7e4e57-8e56-4d10-bf95-29d2dfbfa92b\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b7e4e57-8e56-4d10-bf95-29d2dfbfa92b\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b7e4e57-8e56-4d10-bf95-29d2dfbfa92b" ], "report_names": [ "listgroups.cgi?u=6b7e4e57-8e56-4d10-bf95-29d2dfbfa92b" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434904, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d0efb29b4bd5ddfbd8dc43d9fa4b1893755054d.pdf", "text": "https://archive.orkl.eu/5d0efb29b4bd5ddfbd8dc43d9fa4b1893755054d.txt", "img": "https://archive.orkl.eu/5d0efb29b4bd5ddfbd8dc43d9fa4b1893755054d.jpg" } }