{
	"id": "cccfc96c-4bbd-493b-9ece-870acbfc8f01",
	"created_at": "2026-04-06T00:19:19.768918Z",
	"updated_at": "2026-04-10T13:12:27.096933Z",
	"deleted_at": null,
	"sha1_hash": "86dd20e40f2a4013186441b6d359410559a821a2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44334,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:59:58 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DRAWSTRING\r\n Tool: DRAWSTRING\r\nNames DRAWSTRING\r\nCategory Malware\r\nType Downloader, Reconnaissance, Info stealer\r\nDescription\r\n(Mandiant) A downloader, which Mandiant tracks as DRAWSTRING, has some internal recon\r\nfunctionality. While primarily providing FIN13 the ability to download and execute arbitrary\r\nfiles, DRAWSTRING will also execute systeminfo.exe and upload that information to a\r\ncommand and control (C2) server.\r\nInformation \u003chttps://www.mandiant.com/resources/fin13-cybercriminal-mexico\u003e\r\nLast change to this tool card: 26 December 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool DRAWSTRING\r\nChanged Name Country Observed\r\nAPT groups\r\n  FIN13 [Unknown] 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aebae8ef-2707-4ad8-9173-415439e38842\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aebae8ef-2707-4ad8-9173-415439e38842\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=aebae8ef-2707-4ad8-9173-415439e38842"
	],
	"report_names": [
		"listgroups.cgi?u=aebae8ef-2707-4ad8-9173-415439e38842"
	],
	"threat_actors": [
		{
			"id": "575d8adf-f451-4110-b1c0-89fb463e99c0",
			"created_at": "2022-10-25T16:07:23.637493Z",
			"updated_at": "2026-04-10T02:00:04.696832Z",
			"deleted_at": null,
			"main_name": "FIN13",
			"aliases": [],
			"source_name": "ETDA:FIN13",
			"tools": [
				"BLUEAGAVE",
				"BUSTEDPIPE",
				"CLOSEWATCH",
				"GetUserSPNS.vbs",
				"GoBot2",
				"HOTLANE",
				"JSPRAT",
				"MAILSLOT",
				"PowerSploit",
				"ProcDump",
				"SHELLSWEEP",
				"SIXPACK",
				"SPINOFF",
				"SWEARJAR",
				"Tiny SHell",
				"nmap",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7aa1288a-61ec-4793-b543-9fedc26b9b03",
			"created_at": "2023-11-01T02:01:06.805323Z",
			"updated_at": "2026-04-10T02:00:05.331884Z",
			"deleted_at": null,
			"main_name": "FIN13",
			"aliases": [
				"FIN13",
				"Elephant Beetle"
			],
			"source_name": "MITRE:FIN13",
			"tools": [
				"Impacket",
				"Mimikatz",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f57e32ac-9f90-471d-93ba-7f6d8b05e6c1",
			"created_at": "2023-01-06T13:46:39.29882Z",
			"updated_at": "2026-04-10T02:00:03.279184Z",
			"deleted_at": null,
			"main_name": "FIN13",
			"aliases": [
				"TG2003",
				"Elephant Beetle"
			],
			"source_name": "MISPGALAXY:FIN13",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434759,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86dd20e40f2a4013186441b6d359410559a821a2.pdf",
		"text": "https://archive.orkl.eu/86dd20e40f2a4013186441b6d359410559a821a2.txt",
		"img": "https://archive.orkl.eu/86dd20e40f2a4013186441b6d359410559a821a2.jpg"
	}
}