{ "id": "9bafa7c9-1110-4549-9696-1c1afeec0983", "created_at": "2026-04-06T00:11:34.656564Z", "updated_at": "2026-04-10T03:35:19.876756Z", "deleted_at": null, "sha1_hash": "7f798a3ef158ba3804cb8e7835aa88efdf551c8e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45848, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:04:11 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Comet\n Tool: Comet\nNames\nComet\nMeteor\nStardust\nCategory Malware\nType Wiper\nDescription\n(Check Point) The wiping procedure itself is pretty simple. First, the malware goes over the\nfiles and directories from the paths_to_wipe config, fills them with zero-bytes instead of their\nreal content, and then deletes them.\nAfter the wiping procedure, the malware tries to delete the shadow copies by running the\nfollowing commands: vssadmin.exe delete shadows /all /quiet **and\n**C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete. Finally, the malware enters\nan infinite loop where it sleeps based on the is_alive_loop_interval value from the\nconfiguration file and writes 'Meteor is still alive.' to the log in every iteration.\nIf all this rings familiar to you, it should; it’s all straight out from the ransomware playbook —\nexcept this isn’t ransomware, which requires delicate orchestration of public-key and private-key cryptography to make the machine ultimately recoverable; this is Nuke-it-From-Orbit-ware. It’s a one-way trip.\nInformation Last change to this tool card: 01 November 2021\nDownload this tool card in JSON format\nAll groups using tool Comet\nChanged Name Country Observed\nAPT groups\n Indra [Unknown] 2019\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0af6db50-df36-41ae-89d1-4f9674b87efe\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0af6db50-df36-41ae-89d1-4f9674b87efe\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0af6db50-df36-41ae-89d1-4f9674b87efe\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0af6db50-df36-41ae-89d1-4f9674b87efe" ], "report_names": [ "listgroups.cgi?u=0af6db50-df36-41ae-89d1-4f9674b87efe" ], "threat_actors": [ { "id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3", "created_at": "2022-10-25T16:07:23.729215Z", "updated_at": "2026-04-10T02:00:04.729076Z", "deleted_at": null, "main_name": "Indra", "aliases": [], "source_name": "ETDA:Indra", "tools": [ "Stardust" ], "source_id": "ETDA", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434294, "ts_updated_at": 1775792119, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f798a3ef158ba3804cb8e7835aa88efdf551c8e.pdf", "text": "https://archive.orkl.eu/7f798a3ef158ba3804cb8e7835aa88efdf551c8e.txt", "img": "https://archive.orkl.eu/7f798a3ef158ba3804cb8e7835aa88efdf551c8e.jpg" } }