{ "id": "996a90c5-bfb1-4d67-ac53-652c5f824b85", "created_at": "2026-04-06T00:18:38.864684Z", "updated_at": "2026-04-10T13:12:29.320829Z", "deleted_at": null, "sha1_hash": "99672da3d76802812074a392c6cf99493e72419e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 33328, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:37:13 UTC\r\nDescriptionCurrently, we identify this malware family as “Ghambar,” due to the word being used in some function\r\nnames and variables inside the same malware’s code; also subsequent samples expose potentially personally\r\nidentifiable information and alternative names. While Ghambar does not seem to share any significant codebase\r\nwith past tools, we believe that Ghambar might be the successor of TinyZBot, which is one of the artifacts\r\ndescribed by Cylance in the Operation Cleaver report. Similar to TinyZBot, Ghambar is also developed in C# and\r\nit employs the same SOAPbased command and control protocol. While it is provided with fewer features,\r\nGhambar appears better designed and with a cleaner code style.\r\nInterestingly, Ghambar is designed to leave as little footprint on the system as possible. When collecting\r\nscreenshots, clipboard data, and intercepted keystrokes, it attempts to directly send the data to the C\u0026C without\r\nwriting on disk.\r\nWhile executing a parallel keylogger, Ghambar is also able to receive instructions from the C\u0026C on additional\r\ntasks to execute. These tasks can be additional plugins to be downloaded and executed, generic tasks on the file\r\nsystem, or a number of predefined commands.\r\nGhambar is provided with a fullfeatured plugins system. If instructed to do so by the C\u0026C, the malware is able to\r\ndownload, store, and execute any given plugin.\r\nOther than generally creating, deleting and fetching files, Ghambar is also able to executed a number of\r\npredefined commands if instructed to do so by the C\u0026C. The commands, identified by a commandtype identifier,\r\ninclude the following:\r\n• Selfdestruct;\r\n• Execute a command through 'cmd.exe' and return output;\r\n• Take a screenshot;\r\n• Shutdown the computer;\r\n• Restart the computer;\r\n• Logoff the user;\r\n• Lock the computer;\r\n• Turn on and off the monitor;\r\n• Set and copy clipboard data;\r\n• Enable or disable mouse/keyboard (although these procedures are not yet implemented);\r\n• “Enable or disable desktop” (not implemented);\r\n• Trigger a BSOD (also, not implemented).\r\nWhile the sample we obtained might be an earlier stage still under development, Ghambar is alreadyprovided with\r\nenough features to make it a fullyfunctional backdoor.\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=622b301b-0b13-410c-a772-2c9d6194a606\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=622b301b-0b13-410c-a772-2c9d6194a606\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=622b301b-0b13-410c-a772-2c9d6194a606\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=622b301b-0b13-410c-a772-2c9d6194a606" ], "report_names": [ "listgroups.cgi?u=622b301b-0b13-410c-a772-2c9d6194a606" ], "threat_actors": [ { "id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1", "created_at": "2022-10-25T15:50:23.561511Z", "updated_at": "2026-04-10T02:00:05.382592Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "Threat Group 2889", "TG-2889" ], "source_name": "MITRE:Cleaver", "tools": [ "Net Crawler", "PsExec", "TinyZBot", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "217c588a-5896-4335-b9ec-a516ae2f9a7e", "created_at": "2022-10-25T16:07:23.513775Z", "updated_at": "2026-04-10T02:00:04.635263Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "Cutting Kitten", "G0003", "Operation Cleaver", "TG-2889" ], "source_name": "ETDA:Cutting Kitten", "tools": [ "CsExt", "DistTrack", "IvizTech", "Jasus", "KAgent", "Logger Module", "MANGOPUNCH", "MPK", "MPKBot", "Net Crawler", "NetC", "PVZ-In", "PVZ-Out", "Pupy", "PupyRAT", "PvzOut", "Shamoon", "SynFlooder", "SysKit", "TinyZBot", "WndTest", "pupy", "zhCat", "zhMimikatz" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434718, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99672da3d76802812074a392c6cf99493e72419e.pdf", "text": "https://archive.orkl.eu/99672da3d76802812074a392c6cf99493e72419e.txt", "img": "https://archive.orkl.eu/99672da3d76802812074a392c6cf99493e72419e.jpg" } }