{
	"id": "363b7b65-66bc-4b67-8733-60a5a090181f",
	"created_at": "2026-04-06T00:15:18.545067Z",
	"updated_at": "2026-04-10T13:11:31.159425Z",
	"deleted_at": null,
	"sha1_hash": "69832a4c97f048b0c5a0b118c615c79beed847f7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47357,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:42:43 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool EVILSUN\r\n Tool: EVILSUN\r\nNames EVILSUN\r\nCategory Exploits\r\nDescription\r\n(FireEye) EVILSUN is a remote exploitation tool that gains access to Solaris 10 and 11\r\nsystems of SPARC or i386 architecture using a vulnerability (CVE-2020-14871) exposed by\r\nSSH keyboard-interactive authentication. The remote exploitation tool makes SSH\r\nconnections to hosts passed on the command line. The default port is the normal SSH port\r\n(22), but this may be overridden. EVILSUN passes the banner string SSH-2.0-Sun_SSH_1.1.3\r\nover the connection in clear text as part of handshaking.\r\nInformation \u003chttps://www.mandiant.com/resources/live-off-the-land-an-overview-of-unc1945\u003e\r\nLast change to this tool card: 03 April 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool EVILSUN\r\nChanged Name Country Observed\r\nAPT groups\r\n  LightBasin 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ad794600-929a-42d4-a1a6-516f5ffcaadd\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ad794600-929a-42d4-a1a6-516f5ffcaadd\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ad794600-929a-42d4-a1a6-516f5ffcaadd"
	],
	"report_names": [
		"listgroups.cgi?u=ad794600-929a-42d4-a1a6-516f5ffcaadd"
	],
	"threat_actors": [
		{
			"id": "ece64b74-f887-4d58-9004-2d1406d37337",
			"created_at": "2022-10-25T16:07:23.794442Z",
			"updated_at": "2026-04-10T02:00:04.751764Z",
			"deleted_at": null,
			"main_name": "LightBasin",
			"aliases": [
				"DecisiveArchitect",
				"Luminal Panda",
				"TH-239",
				"UNC1945"
			],
			"source_name": "ETDA:LightBasin",
			"tools": [
				"CordScan",
				"EVILSUN",
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LEMONSTICK",
				"LOGBLEACH",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"OKSOLO",
				"OPENSHACKLE",
				"ProxyChains",
				"Pupy",
				"PupyRAT",
				"SIGTRANslator",
				"SLAPSTICK",
				"SMBExec",
				"STEELCORGI",
				"Tiny SHell",
				"pupy",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "31c0d0e1-f793-4374-90aa-138ea1daea50",
			"created_at": "2023-11-30T02:00:07.29462Z",
			"updated_at": "2026-04-10T02:00:03.482987Z",
			"deleted_at": null,
			"main_name": "LightBasin",
			"aliases": [
				"UNC1945",
				"CL-CRI-0025"
			],
			"source_name": "MISPGALAXY:LightBasin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434518,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/69832a4c97f048b0c5a0b118c615c79beed847f7.pdf",
		"text": "https://archive.orkl.eu/69832a4c97f048b0c5a0b118c615c79beed847f7.txt",
		"img": "https://archive.orkl.eu/69832a4c97f048b0c5a0b118c615c79beed847f7.jpg"
	}
}