{ "id": "049217ad-e95e-4ced-aac8-630d587031f2", "created_at": "2026-04-06T00:19:42.202201Z", "updated_at": "2026-04-10T13:12:09.349393Z", "deleted_at": null, "sha1_hash": "9387ade1f8761814667c51227b22da8620373008", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49151, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:21:10 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SodomMain\r\n Tool: SodomMain\r\nNames\r\nSodomMain\r\nSodomMain RAT\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer\r\nDescription\r\n(Proofpoint) The SodomMain module is LookBack malware’s remote access Trojan module\r\nthat can send and receive numerous commands indicative of its function as a RAT. The\r\nmalware is delivered within the encoded data that is received by the SodomNormal module as\r\npart of its initial beacon response. It then runs within the SodomNormal module and uses\r\nits “send_data” function for C\u0026C communications. The data is ultimately relayed to the GUP\r\nProxy Tool and the C\u0026C IP.\r\nNoteworthy malware commands include:\r\n• Get process listing\r\n• Kill process\r\n• Executes cmd[.] exe command\r\n• Gets drive type\r\n• Find files\r\n• Read files\r\n• Delete files\r\n• Write to files\r\n• Execute files\r\n• Enumerate services\r\n• Starts services\r\n• Delete services\r\n• Takes a screenshot of desktop\r\n• Move/Click Mouse and take a screenshot\r\n• Exit\r\n• Removes self (libcurl[.] dll)\r\n• Shutdown\r\n• Reboot\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=05cfbccf-adae-47a8-ad09-da2ee0f7516a\r\nPage 1 of 2\n\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool SodomMain\r\nChanged Name Country Observed\r\nAPT groups\r\n  LookBack, TA410 [Unknown] 2019-Feb 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=05cfbccf-adae-47a8-ad09-da2ee0f7516a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=05cfbccf-adae-47a8-ad09-da2ee0f7516a\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=05cfbccf-adae-47a8-ad09-da2ee0f7516a" ], "report_names": [ "listgroups.cgi?u=05cfbccf-adae-47a8-ad09-da2ee0f7516a" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434782, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9387ade1f8761814667c51227b22da8620373008.pdf", "text": "https://archive.orkl.eu/9387ade1f8761814667c51227b22da8620373008.txt", "img": "https://archive.orkl.eu/9387ade1f8761814667c51227b22da8620373008.jpg" } }