{ "id": "dc84c6a3-389e-489c-a313-1754db932dc4", "created_at": "2026-04-06T00:14:30.876379Z", "updated_at": "2026-04-10T03:35:52.852165Z", "deleted_at": null, "sha1_hash": "977749d5dc539f66cbe672015769c994e5246394", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48043, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:33:40 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BIRDWATCH\r\n Tool: BIRDWATCH\r\nNames BIRDWATCH\r\nCategory Malware\r\nType Loader\r\nDescription\r\n(Mandiant) Our deep dive also revealed usage of BIRDWATCH and its’ similar variants used\r\nby FIN7 and suspected FIN7 groups such as UNC3381. BIRDWATCH is a .NET-based\r\ndownloader which retrieves payloads over HTTP, writing them to disk and then executing\r\nthem. BIRDWATCH uploads reconnaissance information from targeted systems as well, which\r\nincludes running processes, software installed, network configuration, web browser\r\ninformation and active directory data.\r\nBIRDWATCH is often referred to collectively as “JSSLoader”; however, multiple variations of\r\nBIRDWATCH exist which we track as separate code families. One variant of BIRDWATCH is\r\nCROWVIEW, which is also .NET-based, but has enough code differences from prototypical\r\nBIRDWATCH that we cluster it separately. Unlike BIRDWATCH, CROWVIEW can house an\r\nembedded payload, can self-delete, supports additional arguments and stores a slightly\r\ndifferent configuration.\r\nInformation \u003chttps://www.mandiant.com/resources/evolution-of-fin7\u003e\r\nLast change to this tool card: 05 April 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool BIRDWATCH\r\nChanged Name Country Observed\r\nAPT groups\r\n  FIN7 2013-Jul 2024\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf534111-0a03-442d-a487-aecec978ba25\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf534111-0a03-442d-a487-aecec978ba25\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf534111-0a03-442d-a487-aecec978ba25\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=cf534111-0a03-442d-a487-aecec978ba25" ], "report_names": [ "listgroups.cgi?u=cf534111-0a03-442d-a487-aecec978ba25" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434470, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/977749d5dc539f66cbe672015769c994e5246394.pdf", "text": "https://archive.orkl.eu/977749d5dc539f66cbe672015769c994e5246394.txt", "img": "https://archive.orkl.eu/977749d5dc539f66cbe672015769c994e5246394.jpg" } }