{
	"id": "bbcdb510-1e9b-483e-a614-6708fc1c176a",
	"created_at": "2026-04-06T00:15:55.548142Z",
	"updated_at": "2026-04-10T13:12:03.759804Z",
	"deleted_at": null,
	"sha1_hash": "7c05defb743032398f763725f66e120df5560f76",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57624,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:53:58 UTC\r\n APT group: Cadelle\r\nNames Cadelle (Symantec)\r\nCountry Iran\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2011\r\nDescription\r\n(Symantec) Symantec telemetry identified Cadelle and Chafer, APT 39 activity dating from as\r\nfar back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C\u0026C) registrant information points to activity possibly as early as 2011, while\r\nexecutable compilation times suggest early 2012. Their attacks continue to the present day.\r\nSymantec estimates that each team is made up of between 5 and 10 people.\r\nThere is evidence to suggest that the two teams may be connected in some way, though we\r\ncannot confirm this. A number of computers experienced both Cadelspy and Remexi infections\r\nwithin a small time window. In one instance, a computer was compromised with\r\nBackdoor.Cadelspy just minutes after being infected with Backdoor.Remexi. The Cadelle and\r\nChafer groups also keep the same working hours and focus on similar targets. However, no\r\nsharing of C\u0026C infrastructure between the teams has been observed.\r\nIf Cadelle and Chafer are not directly linked, then they may be separately working for a single\r\nentity. Their victim profile may be of interest to a nation state.\r\nObserved\r\nCountries: Germany, Iran, Iraq, Netherlands, Pakistan, Saudi Arabia, Singapore, Sudan,\r\nTajikistan, Thailand, Turkey, UAE, UK, USA.\r\nTools used Antak, Cadelspy.\r\nInformation\r\n\u003chttps://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets\u003e\r\nLast change to this card: 15 April 2020\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=847d1026-418b-4a30-8ab9-6a4868ab6302\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=847d1026-418b-4a30-8ab9-6a4868ab6302\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=847d1026-418b-4a30-8ab9-6a4868ab6302\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=847d1026-418b-4a30-8ab9-6a4868ab6302"
	],
	"report_names": [
		"showcard.cgi?u=847d1026-418b-4a30-8ab9-6a4868ab6302"
	],
	"threat_actors": [
		{
			"id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d",
			"created_at": "2025-08-07T02:03:24.741594Z",
			"updated_at": "2026-04-10T02:00:03.653394Z",
			"deleted_at": null,
			"main_name": "COBALT HICKMAN",
			"aliases": [
				"APT39 ",
				"Burgundy Sandstorm ",
				"Chafer ",
				"ITG07 ",
				"Remix Kitten "
			],
			"source_name": "Secureworks:COBALT HICKMAN",
			"tools": [
				"MechaFlounder",
				"Mimikatz",
				"Remexi",
				"TREKX"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5d57e839-da14-44ab-b0dc-3a090f45ac4c",
			"created_at": "2022-10-25T16:07:23.42967Z",
			"updated_at": "2026-04-10T02:00:04.595465Z",
			"deleted_at": null,
			"main_name": "Cadelle",
			"aliases": [],
			"source_name": "ETDA:Cadelle",
			"tools": [
				"Antak",
				"Cadelle",
				"Cadelspy",
				"WinSpy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bee22874-f90e-410b-93f3-a2f9b1c2e695",
			"created_at": "2022-10-25T16:07:23.45097Z",
			"updated_at": "2026-04-10T02:00:04.610108Z",
			"deleted_at": null,
			"main_name": "Chafer",
			"aliases": [
				"APT 39",
				"Burgundy Sandstorm",
				"Cobalt Hickman",
				"G0087",
				"ITG07",
				"Radio Serpens",
				"Remix Kitten",
				"TA454"
			],
			"source_name": "ETDA:Chafer",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Antak",
				"CACHEMONEY",
				"EternalBlue",
				"HTTPTunnel",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MechaFlounder",
				"Metasploit",
				"Mimikatz",
				"NBTscan",
				"NSSM",
				"Non-sucking Service Manager",
				"POWBAT",
				"Plink",
				"PuTTY Link",
				"Rana",
				"Remcom",
				"Remexi",
				"RemoteCommandExecution",
				"SafetyKatz",
				"UltraVNC",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"nbtscan",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1ba5f718-ad64-492c-8a95-e21a46516d22",
			"created_at": "2023-01-06T13:46:38.524357Z",
			"updated_at": "2026-04-10T02:00:03.011902Z",
			"deleted_at": null,
			"main_name": "Cadelle",
			"aliases": [],
			"source_name": "MISPGALAXY:Cadelle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434555,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c05defb743032398f763725f66e120df5560f76.pdf",
		"text": "https://archive.orkl.eu/7c05defb743032398f763725f66e120df5560f76.txt",
		"img": "https://archive.orkl.eu/7c05defb743032398f763725f66e120df5560f76.jpg"
	}
}