{ "id": "9f0c0200-aa53-4b7c-90ae-91af0b6388b2", "created_at": "2026-04-06T00:08:17.886081Z", "updated_at": "2026-04-10T03:34:02.919841Z", "deleted_at": null, "sha1_hash": "5d78ae276bb9b4361f42203027854515af988e1c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55905, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:36:07 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Filerase\r\n Tool: Filerase\r\nNames Filerase\r\nCategory Malware\r\nType Wiper\r\nDescription\r\n(Symantec) Unlike previous Shamoon attacks, these latest attacks involve a new, second piece\r\nof wiping malware (Trojan.Filerase). This malware will delete and overwrite files on the\r\ninfected computer. Shamoon itself will meanwhile erase the master boot record of the\r\ncomputer, rendering it unusable.\r\nThe addition of the Filerase wiper makes these attacks more destructive than use of the\r\nShamoon malware alone. While a computer infected by Shamoon could be unusable, files on\r\nthe hard disk may be forensically recoverable. However, if the files are first wiped by the\r\nFilerase malware, recovery becomes impossible.\r\nFilerase is spread across the victim’s network from one initial computer using a list of remote\r\ncomputers. This list is in the form of a text file and is unique to each victim, meaning the\r\nattackers likely gathered this information during an earlier reconnaissance phase of the\r\nintrusion. This list is first copied by a component called OCLC.exe and passed on to another\r\ntool called Spreader.exe. The Spreader component will then copy Filerase to all the computers\r\nlisted. It will then simultaneously trigger the Filerase malware on all infected machines.\r\nInformation\r\n\u003chttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.filerase\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Filerase\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6fdf99c2-8299-484b-a70a-ca2534092fde\r\nPage 1 of 2\n\nAPT groups\r\n  APT 33, Elfin, Magnallium 2013-Apr 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6fdf99c2-8299-484b-a70a-ca2534092fde\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6fdf99c2-8299-484b-a70a-ca2534092fde\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6fdf99c2-8299-484b-a70a-ca2534092fde" ], "report_names": [ "listgroups.cgi?u=6fdf99c2-8299-484b-a70a-ca2534092fde" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434097, "ts_updated_at": 1775792042, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d78ae276bb9b4361f42203027854515af988e1c.pdf", "text": "https://archive.orkl.eu/5d78ae276bb9b4361f42203027854515af988e1c.txt", "img": "https://archive.orkl.eu/5d78ae276bb9b4361f42203027854515af988e1c.jpg" } }