{
	"id": "4a648b2c-d301-4d3b-a49c-c2e4e730a0a2",
	"created_at": "2026-04-06T00:10:53.982299Z",
	"updated_at": "2026-04-10T13:11:24.248139Z",
	"deleted_at": null,
	"sha1_hash": "9828ec0ccbc0e8811ff4027fb9feca054ae363ef",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56518,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:31:34 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool IMAPLoader\r\n Tool: IMAPLoader\r\nNames IMAPLoader\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Downloader\r\nDescription\r\n(PWC) IMAPLoader is a .NET malware that has the ability to fingerprint victim systems\r\nusing native Windows utilities and acts as a downloader for further payloads. It uses\r\nemail as a C2 channel and is able to execute payloads extracted from email attachments\r\nand is executed via new service deployments.\r\nInformation\r\n\u003chttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1152\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.imap_loader\u003e\r\nLast change to this tool card: 27 December 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool IMAPLoader\r\nChanged Name Country Observed\r\nAPT groups\r\n  Tortoiseshell, Imperial Kitten 2018-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5f8ee245-6943-4152-8f38-0c470d853b47\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5f8ee245-6943-4152-8f38-0c470d853b47\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5f8ee245-6943-4152-8f38-0c470d853b47"
	],
	"report_names": [
		"listgroups.cgi?u=5f8ee245-6943-4152-8f38-0c470d853b47"
	],
	"threat_actors": [
		{
			"id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d",
			"created_at": "2023-11-17T02:00:07.580677Z",
			"updated_at": "2026-04-10T02:00:03.452097Z",
			"deleted_at": null,
			"main_name": "Bohrium",
			"aliases": [
				"BOHRIUM",
				"IMPERIAL KITTEN",
				"Smoke Sandstorm"
			],
			"source_name": "MISPGALAXY:Bohrium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2",
			"created_at": "2023-04-26T02:03:02.969306Z",
			"updated_at": "2026-04-10T02:00:05.341127Z",
			"deleted_at": null,
			"main_name": "CURIUM",
			"aliases": [
				"CURIUM",
				"Crimson Sandstorm",
				"TA456",
				"Tortoise Shell",
				"Yellow Liderc"
			],
			"source_name": "MITRE:CURIUM",
			"tools": [
				"IMAPLoader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7",
			"created_at": "2023-01-06T13:46:39.054248Z",
			"updated_at": "2026-04-10T02:00:03.197801Z",
			"deleted_at": null,
			"main_name": "Tortoiseshell",
			"aliases": [
				"Yellow Liderc",
				"Imperial Kitten",
				"Crimson Sandstorm",
				"Cuboid Sandstorm",
				"Smoke Sandstorm",
				"IMPERIAL KITTEN",
				"TA456",
				"DUSTYCAVE",
				"CURIUM"
			],
			"source_name": "MISPGALAXY:Tortoiseshell",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00",
			"created_at": "2022-10-25T16:07:24.337332Z",
			"updated_at": "2026-04-10T02:00:04.94285Z",
			"deleted_at": null,
			"main_name": "Tortoiseshell",
			"aliases": [
				"Cobalt Fireside",
				"Crimson Sandstorm",
				"Cuboid Sandstorm",
				"Curium",
				"Devious Serpens",
				"Houseblend",
				"Imperial Kitten",
				"Marcella Flores",
				"Operation Fata Morgana",
				"TA456",
				"Yellow Liderc"
			],
			"source_name": "ETDA:Tortoiseshell",
			"tools": [
				"IMAPLoader",
				"Infostealer",
				"IvizTech",
				"LEMPO",
				"MANGOPUNCH",
				"SysKit",
				"get-logon-history.ps1",
				"liderc",
				"stereoversioncontrol"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47",
			"created_at": "2025-08-07T02:03:24.726943Z",
			"updated_at": "2026-04-10T02:00:03.805423Z",
			"deleted_at": null,
			"main_name": "COBALT FIRESIDE",
			"aliases": [
				"CURIUM ",
				"Crimson Sandstorm ",
				"Cuboid Sandstorm ",
				"DEV-0228 ",
				"HIVE0095 ",
				"Imperial Kitten ",
				"TA456 ",
				"Tortoiseshell ",
				"UNC3890 ",
				"Yellow Liderc "
			],
			"source_name": "Secureworks:COBALT FIRESIDE",
			"tools": [
				"FireBAK",
				"LEMPO",
				"LiderBird"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434253,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9828ec0ccbc0e8811ff4027fb9feca054ae363ef.pdf",
		"text": "https://archive.orkl.eu/9828ec0ccbc0e8811ff4027fb9feca054ae363ef.txt",
		"img": "https://archive.orkl.eu/9828ec0ccbc0e8811ff4027fb9feca054ae363ef.jpg"
	}
}