{
	"id": "9abb51a8-d1f4-4ded-b734-cf5e1ac7c3a2",
	"created_at": "2026-04-06T00:11:31.201945Z",
	"updated_at": "2026-04-10T03:34:42.42744Z",
	"deleted_at": null,
	"sha1_hash": "88f69f3747be0f0f82546b26ddf138f5b581ab6b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54039,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:05:22 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Triton\r\n Tool: Triton\r\nNames\r\nTriton\r\nTRITON\r\nTrisis\r\nTRISIS\r\nHatMan\r\nCategory Malware\r\nType ICS malware, Reconnaissance, Backdoor, Downloader, Info stealer, Remote command\r\nDescription\r\n(FireEye) The TRITON attack tool was built with a number of features, including the\r\nability to read and write programs, read and write individual functions and query the\r\nstate of the SIS controller. However, only some of these capabilities were leveraged in\r\nthe trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive\r\nreconnaissance capabilities).\r\nThe TRITON malware contained the capability to communicate with Triconex SIS\r\ncontrollers (e.g. send specific commands such as halt or read its memory content) and\r\nremotely reprogram them with an attacker-defined payload. The TRITON sample\r\nMandiant analyzed added an attacker-provided program to the execution table of the\r\nTriconex controller. This sample left legitimate programs in place, expecting the\r\ncontroller to continue operating without a fault or exception. If the controller failed,\r\nTRITON would attempt to return it to a running state. If the controller did not recover\r\nwithin a defined time window, this sample would overwrite the malicious program with\r\ninvalid data to cover its tracks.\r\nInformation \u003chttps://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html\u003e\r\n\u003chttps://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware\u003e\r\n\u003chttps://dragos.com/blog/trisis/TRISIS-01.pdf\u003e\r\n\u003chttps://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-\r\n01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf\u003e\r\n\u003chttps://github.com/ICSrepo/TRISIS-TRITON-HATMAN\u003e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e331cfc5-45c9-4a74-a79f-dac9c622e39f\r\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Triton\nChanged Name Country Observed\nAPT groups\n TEMP.Veles 2014-Mar 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e331cfc5-45c9-4a74-a79f-dac9c622e39f\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e331cfc5-45c9-4a74-a79f-dac9c622e39f\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e331cfc5-45c9-4a74-a79f-dac9c622e39f"
	],
	"report_names": [
		"listgroups.cgi?u=e331cfc5-45c9-4a74-a79f-dac9c622e39f"
	],
	"threat_actors": [
		{
			"id": "5fb9f77b-1273-4658-884e-49f5f511dcd7",
			"created_at": "2022-10-25T15:50:23.591795Z",
			"updated_at": "2026-04-10T02:00:05.383475Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"TEMP.Veles",
				"XENOTIME"
			],
			"source_name": "MITRE:TEMP.Veles",
			"tools": [
				"Mimikatz",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c",
			"created_at": "2023-01-06T13:46:39.001286Z",
			"updated_at": "2026-04-10T02:00:03.1772Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"Xenotime",
				"G0088",
				"ATK91"
			],
			"source_name": "MISPGALAXY:TEMP.Veles",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20012494-3f05-48ce-8c0f-92455e46a4f9",
			"created_at": "2022-10-25T16:07:24.319939Z",
			"updated_at": "2026-04-10T02:00:04.934107Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"ATK 91",
				"G0088",
				"Xenotime"
			],
			"source_name": "ETDA:TEMP.Veles",
			"tools": [
				"Cryptcat",
				"HatMan",
				"Mimikatz",
				"NetExec",
				"PsExec",
				"SecHack",
				"TRISIS",
				"TRITON",
				"Trisis",
				"Triton",
				"Wii"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434291,
	"ts_updated_at": 1775792082,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88f69f3747be0f0f82546b26ddf138f5b581ab6b.pdf",
		"text": "https://archive.orkl.eu/88f69f3747be0f0f82546b26ddf138f5b581ab6b.txt",
		"img": "https://archive.orkl.eu/88f69f3747be0f0f82546b26ddf138f5b581ab6b.jpg"
	}
}