{ "id": "949df248-db04-4586-957c-3216141619e1", "created_at": "2026-04-06T00:07:06.960118Z", "updated_at": "2026-04-10T13:12:30.694957Z", "deleted_at": null, "sha1_hash": "75dd2aa29e137bbf52b30017c9bd37b71314ff8d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56885, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:40:57 UTC\r\n APT group: MalKamak\r\nNames\r\nMalKamak (Cybereason)\r\nOperation GhostShell (Cybereason)\r\nCountry Iran\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(Cybereason) In July 2021, the Cybereason Nocturnus and Incident Response Teams\r\nresponded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the\r\nAerospace and Telecommunications industries mainly in the Middle East, with additional\r\nvictims in the U.S., Russia and Europe.\r\nThe Operation GhostShell campaign aims to steal sensitive information about critical assets,\r\norganizations’ infrastructure and technology. During the investigation, the Nocturnus Team\r\nuncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed\r\nShellClient which was employed as the primary espionage tool.\r\nThe Nocturnus Team found evidence that the ShellClient RAT has been under ongoing\r\ndevelopment since at least 2018, with several iterations that introduced new functionalities,\r\nwhile it evaded antivirus tools and managed to remain undetected and publicly unknown.\r\nAssessments as to the identity of the operators and authors of ShellClient resulted in the\r\nidentification of a new Iranian threat actor dubbed MalKamak that has operated since at least\r\n2018 and remained publicly unknown thus far. In addition, our research points out possible\r\nconnections to other Iranian state-sponsored APT threat actors such as Chafer, APT 39 and\r\nAgrius APT. However, we assess that MalKamak has distinct features that separate it from the\r\nother Iranian groups.\r\nObserved\r\nSectors: Aerospace, Telecommunications.\r\nCountries: Russia, USA and Europe and Middle East.\r\nTools used PAExec, SafetyKatz, ShellClient, WinRAR.\r\nInformation\r\n\u003chttps://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\u003e\r\nLast change to this card: 02 November 2021\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1ef36ba9-41f8-42a4-94e6-56678a7b8268\r\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1ef36ba9-41f8-42a4-94e6-56678a7b8268\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1ef36ba9-41f8-42a4-94e6-56678a7b8268\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1ef36ba9-41f8-42a4-94e6-56678a7b8268" ], "report_names": [ "showcard.cgi?u=1ef36ba9-41f8-42a4-94e6-56678a7b8268" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "8205484f-7cf2-4b43-b2de-c1a500ae310e", "created_at": "2022-10-25T16:07:23.861533Z", "updated_at": "2026-04-10T02:00:04.764666Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [ "Operation GhostShell" ], "source_name": "ETDA:MalKamak", "tools": [ "PAExec", "SafetyKatz", "ShellClient", "WinRAR" ], "source_id": "ETDA", "reports": null }, { "id": "7261dbea-1283-4a30-8da6-c30ccfc25024", "created_at": "2023-11-30T02:00:07.289432Z", "updated_at": "2026-04-10T02:00:03.481506Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [], "source_name": "MISPGALAXY:MalKamak", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434026, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/75dd2aa29e137bbf52b30017c9bd37b71314ff8d.pdf", "text": "https://archive.orkl.eu/75dd2aa29e137bbf52b30017c9bd37b71314ff8d.txt", "img": "https://archive.orkl.eu/75dd2aa29e137bbf52b30017c9bd37b71314ff8d.jpg" } }