{
	"id": "25388eb3-c654-4674-85d7-3e823da2a322",
	"created_at": "2026-04-06T00:15:42.357795Z",
	"updated_at": "2026-04-10T13:11:19.48425Z",
	"deleted_at": null,
	"sha1_hash": "979163893208f5cc82716be6e826bb6229bbc887",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55885,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:58:17 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LEMPO\r\n Tool: LEMPO\r\nNames LEMPO\r\nCategory Malware\r\nType Reconnaissance, Info stealer, Exfiltration\r\nDescription\r\n(Proofpoint) Once the malware, which is an updated version of Liderc that Proofpoint has\r\ndubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected\r\nmachine, save the reconnaissance details to the host, exfiltrate sensitive information to an\r\nactor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s\r\nhost artifacts.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-\r\ntargets-defense-contractor-alluring-social-media\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/global/pulses?q=tag:LEMPO\u003e\r\nLast change to this tool card: 10 August 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool LEMPO\r\nChanged Name Country Observed\r\nAPT groups\r\n  Tortoiseshell, Imperial Kitten 2018-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=39df9603-9b08-4897-9ac8-7a66a8b728b1\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=39df9603-9b08-4897-9ac8-7a66a8b728b1\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=39df9603-9b08-4897-9ac8-7a66a8b728b1"
	],
	"report_names": [
		"listgroups.cgi?u=39df9603-9b08-4897-9ac8-7a66a8b728b1"
	],
	"threat_actors": [
		{
			"id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d",
			"created_at": "2023-11-17T02:00:07.580677Z",
			"updated_at": "2026-04-10T02:00:03.452097Z",
			"deleted_at": null,
			"main_name": "Bohrium",
			"aliases": [
				"BOHRIUM",
				"IMPERIAL KITTEN",
				"Smoke Sandstorm"
			],
			"source_name": "MISPGALAXY:Bohrium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2",
			"created_at": "2023-04-26T02:03:02.969306Z",
			"updated_at": "2026-04-10T02:00:05.341127Z",
			"deleted_at": null,
			"main_name": "CURIUM",
			"aliases": [
				"CURIUM",
				"Crimson Sandstorm",
				"TA456",
				"Tortoise Shell",
				"Yellow Liderc"
			],
			"source_name": "MITRE:CURIUM",
			"tools": [
				"IMAPLoader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7",
			"created_at": "2023-01-06T13:46:39.054248Z",
			"updated_at": "2026-04-10T02:00:03.197801Z",
			"deleted_at": null,
			"main_name": "Tortoiseshell",
			"aliases": [
				"Yellow Liderc",
				"Imperial Kitten",
				"Crimson Sandstorm",
				"Cuboid Sandstorm",
				"Smoke Sandstorm",
				"IMPERIAL KITTEN",
				"TA456",
				"DUSTYCAVE",
				"CURIUM"
			],
			"source_name": "MISPGALAXY:Tortoiseshell",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00",
			"created_at": "2022-10-25T16:07:24.337332Z",
			"updated_at": "2026-04-10T02:00:04.94285Z",
			"deleted_at": null,
			"main_name": "Tortoiseshell",
			"aliases": [
				"Cobalt Fireside",
				"Crimson Sandstorm",
				"Cuboid Sandstorm",
				"Curium",
				"Devious Serpens",
				"Houseblend",
				"Imperial Kitten",
				"Marcella Flores",
				"Operation Fata Morgana",
				"TA456",
				"Yellow Liderc"
			],
			"source_name": "ETDA:Tortoiseshell",
			"tools": [
				"IMAPLoader",
				"Infostealer",
				"IvizTech",
				"LEMPO",
				"MANGOPUNCH",
				"SysKit",
				"get-logon-history.ps1",
				"liderc",
				"stereoversioncontrol"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47",
			"created_at": "2025-08-07T02:03:24.726943Z",
			"updated_at": "2026-04-10T02:00:03.805423Z",
			"deleted_at": null,
			"main_name": "COBALT FIRESIDE",
			"aliases": [
				"CURIUM ",
				"Crimson Sandstorm ",
				"Cuboid Sandstorm ",
				"DEV-0228 ",
				"HIVE0095 ",
				"Imperial Kitten ",
				"TA456 ",
				"Tortoiseshell ",
				"UNC3890 ",
				"Yellow Liderc "
			],
			"source_name": "Secureworks:COBALT FIRESIDE",
			"tools": [
				"FireBAK",
				"LEMPO",
				"LiderBird"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434542,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/979163893208f5cc82716be6e826bb6229bbc887.pdf",
		"text": "https://archive.orkl.eu/979163893208f5cc82716be6e826bb6229bbc887.txt",
		"img": "https://archive.orkl.eu/979163893208f5cc82716be6e826bb6229bbc887.jpg"
	}
}