{
	"id": "dc62aa96-22f1-45b2-87d4-abab564ad960",
	"created_at": "2026-04-06T00:14:33.323512Z",
	"updated_at": "2026-04-10T13:12:27.561298Z",
	"deleted_at": null,
	"sha1_hash": "6bb533b4f8e5d7b19446a98af1bd2379f1ef746b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47383,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:53:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CordScan\n Tool: CordScan\nNames CordScan\nCategory Malware\nType Reconnaissance\nDescription\n(CrowdStrike) This executable is a network scanning and packet capture utility that contains\nbuilt-in logic relating to the application layer of telecommunications systems, which allows for\nfingerprinting and the retrieval of additional data when dealing with common\ntelecommunication protocols from infrastructure such as SGSNs. SGSNs could be targets for\nfurther collection by the adversary, as they are responsible for packet data delivery to and from\nmobile stations and also hold location information for registered GPRS users. CrowdStrike\nidentified multiple versions of this utility, including a cross-compiled version for systems\nrunning on ARM architecture, such as Huawei’s commercial CentOS-based operating system\nEulerOS.\nInformation Last change to this tool card: 03 November 2021\nDownload this tool card in JSON format\nAll groups using tool CordScan\nChanged Name Country Observed\nAPT groups\n LightBasin 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4f1b6373-fc44-4148-bc21-5bf02c56430a\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4f1b6373-fc44-4148-bc21-5bf02c56430a\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4f1b6373-fc44-4148-bc21-5bf02c56430a"
	],
	"report_names": [
		"listgroups.cgi?u=4f1b6373-fc44-4148-bc21-5bf02c56430a"
	],
	"threat_actors": [
		{
			"id": "ece64b74-f887-4d58-9004-2d1406d37337",
			"created_at": "2022-10-25T16:07:23.794442Z",
			"updated_at": "2026-04-10T02:00:04.751764Z",
			"deleted_at": null,
			"main_name": "LightBasin",
			"aliases": [
				"DecisiveArchitect",
				"Luminal Panda",
				"TH-239",
				"UNC1945"
			],
			"source_name": "ETDA:LightBasin",
			"tools": [
				"CordScan",
				"EVILSUN",
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LEMONSTICK",
				"LOGBLEACH",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"OKSOLO",
				"OPENSHACKLE",
				"ProxyChains",
				"Pupy",
				"PupyRAT",
				"SIGTRANslator",
				"SLAPSTICK",
				"SMBExec",
				"STEELCORGI",
				"Tiny SHell",
				"pupy",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "31c0d0e1-f793-4374-90aa-138ea1daea50",
			"created_at": "2023-11-30T02:00:07.29462Z",
			"updated_at": "2026-04-10T02:00:03.482987Z",
			"deleted_at": null,
			"main_name": "LightBasin",
			"aliases": [
				"UNC1945",
				"CL-CRI-0025"
			],
			"source_name": "MISPGALAXY:LightBasin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434473,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6bb533b4f8e5d7b19446a98af1bd2379f1ef746b.pdf",
		"text": "https://archive.orkl.eu/6bb533b4f8e5d7b19446a98af1bd2379f1ef746b.txt",
		"img": "https://archive.orkl.eu/6bb533b4f8e5d7b19446a98af1bd2379f1ef746b.jpg"
	}
}