{ "id": "ccadd681-2127-4127-9c6b-227b660a8712", "created_at": "2026-04-06T00:16:21.942038Z", "updated_at": "2026-04-10T03:30:01.825812Z", "deleted_at": null, "sha1_hash": "65ed061a9cbd56412940bbf78492d25e820a2b51", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57715, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:12:06 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Hisoka\n Tool: Hisoka\nNames Hisoka\nCategory Malware\nType Backdoor, Downloader\nDescription\n(Palo Alto) We analyzed dozens of samples during this analysis, which resulted in the\nidentification of two separate campaigns — one in mid-to-late 2018 using Sakabota and the\nother in mid-2019 using Hisoka. Our analysis of the two campaigns revealed that Sakabota is\nthe predecessor to Hisoka, which was first observed in May 2019.\nDuring our analysis, we identified two different versions of Hisoka, specifically v0.8 and v0.9,\nboth installed onto the network of two Kuwait organizations. Both versions contain command\nsets that allow the actor to control a compromised system. In both versions, the actor can\ncommunicate via a command and control (C2) channel that uses either HTTP or DNS\ntunneling. However, v0.9 also added the ability for an email-based C2 channel as well.\nThe email-based C2 communications capability added to Hisoka v0.9 relies on Exchange Web\nServices (EWS) to use a legitimate account on an Exchange server in order to allow the actor\nto communicate with Hisoka. The malware attempts to log into an Exchange server using\nsupplied credentials and uses EWS to send and receive emails in order to establish\ncommunications between the target and the actor. However, the communications channel does\nnot actually send and receive emails like other email-based C2 channels we have seen in the\npast. Instead, the channel relies on creating email drafts that the Hisoka malware and the actor\nwill process in order to exchange data back and forth. By using email drafts as well as the\nsame legitimate Exchange account to communicate, no emails will be detected outbound or\nreceived inbound.\nWithin two hours of gaining access to the system through Hisoka, the actor deployed two\nadditional tools named Gon and EYE, whose names were based on the filenames Gon.sys and\nEYE.exe.\nInformation\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9fd0ba3-a910-4fda-b553-cf0c489d1e8a\nPage 1 of 2\n\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.hisoka\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Hisoka\r\nChanged Name Country Observed\r\nAPT groups\r\n  xHunt 2018-Aug 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9fd0ba3-a910-4fda-b553-cf0c489d1e8a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9fd0ba3-a910-4fda-b553-cf0c489d1e8a\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f9fd0ba3-a910-4fda-b553-cf0c489d1e8a" ], "report_names": [ "listgroups.cgi?u=f9fd0ba3-a910-4fda-b553-cf0c489d1e8a" ], "threat_actors": [ { "id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb", "created_at": "2022-10-25T16:07:24.432777Z", "updated_at": "2026-04-10T02:00:04.986077Z", "deleted_at": null, "main_name": "xHunt", "aliases": [ "Cobalt Katana", "Hive0081", "Hunter Serpens", "SectorD01" ], "source_name": "ETDA:xHunt", "tools": [ "CASHY200", "COLDTRAIN", "Gon", "Hisoka", "Killua", "Netero", "SHELLSTING", "Sakabota", "Snugy", "TriFive" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434581, "ts_updated_at": 1775791801, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/65ed061a9cbd56412940bbf78492d25e820a2b51.pdf", "text": "https://archive.orkl.eu/65ed061a9cbd56412940bbf78492d25e820a2b51.txt", "img": "https://archive.orkl.eu/65ed061a9cbd56412940bbf78492d25e820a2b51.jpg" } }