{ "id": "cfc6e60c-6f4a-4ba4-b533-45612317b203", "created_at": "2026-04-06T00:18:33.635084Z", "updated_at": "2026-04-10T03:32:56.813356Z", "deleted_at": null, "sha1_hash": "904e5137a3ded5c8dce9cdb1443794b3c750412e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50136, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:01:26 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Excalibur\r\n Tool: Excalibur\r\nNames\r\nExcalibur\r\nSabresac\r\nSaber\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Cylance) Saber is a custom RAT that periodically queries a web-based C2 server for\r\ncommands. The only active instances SPEAR was able to identify were hosted on the Chinese\r\ncode development site 'csdn(dot)net'. Kitkiot variants are commonly installed alongside other\r\ntypes of malware and often included additional functionality, including:\r\n• Denial of Service (DoS) and Distributed Denial of Service (DDoS) capabilities\r\n• The ability to hijack and steal in-game account information and items from multiple online\r\ngaming platforms\r\n• In some rare cases these were used for click-through advertising fraud.\r\nInformation\r\n\u003chttps://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Excalibur\r\nChanged Name Country Observed\r\nAPT groups\r\n  PassCV 2016  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7988e6c1-d35e-4a7e-a1b5-5a24c4a4f6ea\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7988e6c1-d35e-4a7e-a1b5-5a24c4a4f6ea\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7988e6c1-d35e-4a7e-a1b5-5a24c4a4f6ea\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7988e6c1-d35e-4a7e-a1b5-5a24c4a4f6ea" ], "report_names": [ "listgroups.cgi?u=7988e6c1-d35e-4a7e-a1b5-5a24c4a4f6ea" ], "threat_actors": [ { "id": "27b56f48-7905-4da8-8d87-cea10adb1c6b", "created_at": "2022-10-25T16:07:24.044105Z", "updated_at": "2026-04-10T02:00:04.848898Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "ETDA:PassCV", "tools": [ "Agentemis", "AngryRebel", "BleDoor", "Cobalt Strike", "CobaltStrike", "Excalibur", "Farfli", "Gh0st RAT", "Ghost RAT", "Kitkiot", "Moudour", "Mydoor", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "PCRat", "RbDoor", "Recam", "RibDoor", "Sabresac", "Sensocode", "Winnti", "ZXShell", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "dda68b4f-a74a-42a0-b883-69c1dc1229a8", "created_at": "2023-01-06T13:46:38.528227Z", "updated_at": "2026-04-10T02:00:03.013713Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "MISPGALAXY:PassCV", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775791976, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/904e5137a3ded5c8dce9cdb1443794b3c750412e.pdf", "text": "https://archive.orkl.eu/904e5137a3ded5c8dce9cdb1443794b3c750412e.txt", "img": "https://archive.orkl.eu/904e5137a3ded5c8dce9cdb1443794b3c750412e.jpg" } }