{
	"id": "dff7983d-d102-4b6d-8561-f87d343d66be",
	"created_at": "2026-04-06T00:08:09.284574Z",
	"updated_at": "2026-04-10T03:20:30.873405Z",
	"deleted_at": null,
	"sha1_hash": "9370da9a6ab23898168da441f98431ef50853fb7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33853,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:55:25 UTC\r\nDescription(Kaspersky) If a Microsoft Office vulnerability is successfully exploited, the exploit creates an\r\nexecutable PE file on the hard drive and launches it for execution. The malicious program is a platform used to\r\ndeploy extra (add-on) malicious modules, store them stealthily and thus add new capabilities for the threat actors.\r\nThe attack unfolds in several stages, as described below:\r\n1. The exploit is activated, and an appropriate (32-bit or 64-bit) version of the malicious program is installed on\r\nthe victim computer, depending on the type of operating system installed on it. To do this installation, malicious\r\ncode is injected into the system process ‘explorer.exe’ rather than into its memory. The malicious program has a\r\nmodular structure: its main body is stored in the registry, while its add-on modules are downloaded following the\r\ninstruction arriving from the C\u0026C server. DLL hijacking (use of a modified system library) is used to ensure that\r\nthe main module is launched each time the system is rebooted.\r\n2. The main module of the malicious program receives an instruction to download and launch add-on modules,\r\nwhich opens new capabilities for the threat actors.\r\n3. The malicious add-on modules provide opportunities to control the victim system, take screenshots of windows\r\nand intercept information entered from the keyboard. We have seen them in other cyber-espionage campaigns as\r\nwell.\r\n4. The threat actors use PowerSploit, a modified set of PowerShell scripts, and various utilities to steal files and\r\npasswords found on the victim computer.\r\nThe cybercriminals were primarily interested in .doc, .ppt, .xls, .docx, .pptx, .xlsx, .pdf, .txt and .rtf files on the\r\nvictim computers. The harvested files were packed into a password-protected archive and sent to the threat actors’\r\nserver.\r\nOverall, the tactics, techniques and procedures that the cybercriminals used in their attacks can hardly be\r\nconsidered complicated or expensive. However, there were a few things that caught our eye:\r\n• The payload (at least one of the modules) is delivered using some simple steganography. Within traffic, it looks\r\nlike a download of a regular JPEG image; however, the encrypted payload is loaded immediately after the image\r\ndata. Microcin searches for a special ‘ABCD’ label in such a file; it is followed by a special structure, after which\r\nthe payload comes, to be decrypted by Microcin. This way, new, platform-independent code and/or PE files can be\r\ndelivered.\r\n• If the Microcin installer detects the processes of some anti-malware programs running in the system, then, during\r\ninstallation, it skips the step of injecting into ‘explorer.exe’, and the modified system library used for establishing\r\nthe malicious program within the system is placed into the folder %WINDIR%; to do this, the system app\r\n‘wusa.exe’ is used with the parameter “/extract” (on operating systems with UAC).\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=705c13b2-54c2-428c-8367-fe5387ae15ea\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=705c13b2-54c2-428c-8367-fe5387ae15ea\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=705c13b2-54c2-428c-8367-fe5387ae15ea"
	],
	"report_names": [
		"listgroups.cgi?u=705c13b2-54c2-428c-8367-fe5387ae15ea"
	],
	"threat_actors": [],
	"ts_created_at": 1775434089,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9370da9a6ab23898168da441f98431ef50853fb7.pdf",
		"text": "https://archive.orkl.eu/9370da9a6ab23898168da441f98431ef50853fb7.txt",
		"img": "https://archive.orkl.eu/9370da9a6ab23898168da441f98431ef50853fb7.jpg"
	}
}