{ "id": "46f07d99-c979-4b93-83b0-4e4a64beabe7", "created_at": "2026-04-06T00:12:16.411106Z", "updated_at": "2026-04-10T13:12:52.216534Z", "deleted_at": null, "sha1_hash": "771c666939c2f4228296300d801c56be06a6b643", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55531, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:44:26 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Serveo\r\n Tool: Serveo\r\nNames Serveo\r\nCategory Malware\r\nType Backdoor, Tunneling\r\nDescription\r\n(ClearSky) Serveo is a free tool for opening outside-facing servers and applications on a\r\ncorporate network, whether on localhost or elsewhere. Unlike Ngrok, Serveo is an SSH-only\r\nserver; also, any port that will be defined to it (safe for 22, 80, and 443 which are accessible\r\nfrom outside) will get another, unassigned TCP port instead. Using this service, the attacker\r\nwas operating different services inside the network. Thus, for instance, the attacker had\r\noperated an RDP connection through the localhost on port 3389 (RDP); using Serveo, the\r\nattacker has opened this RDP for the outside world through port 12618 (TCP). The attacker\r\nhas opened an SSH tunneling to another port in order to maintain an encrypted RDP on the\r\nattacked target.\r\nMoreover, like with the backdoor that had hardcoded and predefined credentials, here too the\r\nattacker separated every server that was opened to the outside world.\r\nInformation\r\n\u003chttps://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Serveo\r\nChanged Name Country Observed\r\nAPT groups\r\n  Parisite, Fox Kitten, Pioneer Kitten 2017-Nov 2020  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6f8f3241-ca9b-4fab-9a7e-ede5321c8b9c\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6f8f3241-ca9b-4fab-9a7e-ede5321c8b9c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6f8f3241-ca9b-4fab-9a7e-ede5321c8b9c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6f8f3241-ca9b-4fab-9a7e-ede5321c8b9c" ], "report_names": [ "listgroups.cgi?u=6f8f3241-ca9b-4fab-9a7e-ede5321c8b9c" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434336, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/771c666939c2f4228296300d801c56be06a6b643.pdf", "text": "https://archive.orkl.eu/771c666939c2f4228296300d801c56be06a6b643.txt", "img": "https://archive.orkl.eu/771c666939c2f4228296300d801c56be06a6b643.jpg" } }