{ "id": "f92b41f1-4050-44c1-8ef1-7d7be8b6d268", "created_at": "2026-04-06T00:10:17.352477Z", "updated_at": "2026-04-10T13:12:29.665221Z", "deleted_at": null, "sha1_hash": "90b46c7b9a64dc5031ba8a1b4058fe6d8e80542f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49709, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:20:02 UTC\n Other threat group: TA511\nNames\nTA511 (Proofpoint)\nMAN1 (?)\nMoskalvzapoe (?)\nCountry [Unknown]\nMotivation Financial crime\nFirst seen 2018\nDescription\n(Palo Alto) Hancitor is an information stealer and malware downloader used by a\nthreat actor designated as MAN1, Moskalvzapoe or TA511. In a threat brief from\n2018, we noted Hancitor was relatively unsophisticated, but it would remain a threat\nfor years to come. Approximately three years later, Hancitor remains a threat and has\nevolved to use tools like Cobalt Strike. In recent months, this actor began using a\nnetwork ping tool to help enumerate the Active Directory (AD) environment of\ninfected hosts. This blog illustrates how the threat actor behind Hancitor uses the\nnetwork ping tool, so security professionals can better identify and block its use.\nObserved\nCountries: Argentina, Brazil, Canada, Germany, Hong Kong, India, Ireland, Israel,\nItaly, Japan, Kazakhstan, Lithuania, Malaysia, Netherlands, Russia, Singapore,\nSouth Africa, South Korea, Taiwan, Thailand, Turkey, Ukraine, UK, USA, Vietnam.\nTools used Cobalt Strike, Ficker Stealer, Hancitor, NetSupport Manager.\nOperations performed Oct 2020\nHancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool\nInformation Last change to this card: 21 April 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=232acfd0-5488-4391-ae93-6e1dc4df99d4\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=232acfd0-5488-4391-ae93-6e1dc4df99d4\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=232acfd0-5488-4391-ae93-6e1dc4df99d4" ], "report_names": [ "showcard.cgi?u=232acfd0-5488-4391-ae93-6e1dc4df99d4" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434217, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90b46c7b9a64dc5031ba8a1b4058fe6d8e80542f.pdf", "text": "https://archive.orkl.eu/90b46c7b9a64dc5031ba8a1b4058fe6d8e80542f.txt", "img": "https://archive.orkl.eu/90b46c7b9a64dc5031ba8a1b4058fe6d8e80542f.jpg" } }