{
	"id": "4bb412b3-b224-4ffe-ba7f-ff1ea6f336e9",
	"created_at": "2026-04-06T01:32:29.265369Z",
	"updated_at": "2026-04-10T13:12:35.9295Z",
	"deleted_at": null,
	"sha1_hash": "80ed182c04f40280b1b5dce1208df3f34573ad03",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51689,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:48:42 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Sepulcher\r\n Tool: Sepulcher\r\nNames Sepulcher\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(Proofpoint) Sepulcher malware has seven work modes that include conducting\r\nreconnaissance on an infected host, spawning a reverse command shell, reading from file,\r\nand writing to file. More granularly, additional commands exist within the intelligence\r\ngathering/reconnaissance work modes (1002, 1003, 1004) which carry out reconnaissance\r\nfunctionality within the infected host. These commands include obtaining information\r\nabout the drives, file information, directory statistics, directory paths, directory content,\r\nrunning processes, and services. Additionally, it is capable of more active functionalities\r\nlike deleting directories and files, creating directories, moving file source to destination,\r\nspawning a shell to execute commands, terminating a process, restarting a service,\r\nchanging a service start type, and deleting a service.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic\u003e\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:sepulcher\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Sepulcher\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0c4b65ac-4631-443d-8091-e5197e57575f\r\nPage 1 of 2\n\nAPT groups\r\n  TA413 2019-2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0c4b65ac-4631-443d-8091-e5197e57575f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0c4b65ac-4631-443d-8091-e5197e57575f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0c4b65ac-4631-443d-8091-e5197e57575f"
	],
	"report_names": [
		"listgroups.cgi?u=0c4b65ac-4631-443d-8091-e5197e57575f"
	],
	"threat_actors": [
		{
			"id": "3b1367ff-99dc-41f0-986f-4a1dcb41bbbf",
			"created_at": "2022-10-25T16:07:24.273478Z",
			"updated_at": "2026-04-10T02:00:04.918037Z",
			"deleted_at": null,
			"main_name": "TA413",
			"aliases": [
				"White Dev 9"
			],
			"source_name": "ETDA:TA413",
			"tools": [
				"Exile RAT",
				"ExileRAT",
				"Sepulcher"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9792e41f-4165-474b-99fa-e74ec332bd87",
			"created_at": "2023-01-06T13:46:38.986789Z",
			"updated_at": "2026-04-10T02:00:03.172308Z",
			"deleted_at": null,
			"main_name": "Lucky Cat",
			"aliases": [
				"TA413",
				"White Dev 9"
			],
			"source_name": "MISPGALAXY:Lucky Cat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "86182dd7-646c-49c5-91a6-4b62fd2119a7",
			"created_at": "2025-08-07T02:03:24.617638Z",
			"updated_at": "2026-04-10T02:00:03.738499Z",
			"deleted_at": null,
			"main_name": "BRONZE HOBART",
			"aliases": [
				"APT23",
				"Earth Centaur ",
				"KeyBoy ",
				"Pirate Panda ",
				"Red Orthrus ",
				"TA413 ",
				"Tropic Trooper "
			],
			"source_name": "Secureworks:BRONZE HOBART",
			"tools": [
				"Crowdoor",
				"DSNGInstaller",
				"KeyBoy",
				"LOWZERO",
				"Mofu",
				"Pfine",
				"Sepulcher",
				"Xiangoop Loader",
				"Yahaoyah"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439149,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80ed182c04f40280b1b5dce1208df3f34573ad03.pdf",
		"text": "https://archive.orkl.eu/80ed182c04f40280b1b5dce1208df3f34573ad03.txt",
		"img": "https://archive.orkl.eu/80ed182c04f40280b1b5dce1208df3f34573ad03.jpg"
	}
}