{ "id": "c1db1d5f-97ec-4e11-aa34-4cca6a1d4ea1", "created_at": "2026-04-06T00:17:09.309711Z", "updated_at": "2026-04-10T13:11:54.34002Z", "deleted_at": null, "sha1_hash": "9d0b6abfd60b7790bb27fd0957df5e5cf8285eba", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50526, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:20:29 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool IRONHALO\r\n Tool: IRONHALO\r\nNames IRONHALO\r\nCategory Malware\r\nType Downloader\r\nDescription\r\n(FireEye) IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64\r\nencoded payload from a hard-coded command-and-control (CnC) server and uniform resource\r\nlocator (URL) path.\r\nThe encoded payload is written to a temporary file, decoded and executed in a hidden window.\r\nThe encoded and decoded payloads are written to files named igfxHK[%rand%].dat and\r\nigfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on\r\nthe current timestamp. It persists by copying itself to the current user’s Startup folder.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\u003e\r\n\u003chttps://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo\u003e\r\nLast change to this tool card: 14 May 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool IRONHALO\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 16, SVCMONDR 2015  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ad6447b0-774f-48a1-a5da-d03c3e0b94e4\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ad6447b0-774f-48a1-a5da-d03c3e0b94e4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ad6447b0-774f-48a1-a5da-d03c3e0b94e4\r\nPage 2 of 2\n\nAPT groups APT 16, SVCMONDR 2015 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ad6447b0-774f-48a1-a5da-d03c3e0b94e4" ], "report_names": [ "listgroups.cgi?u=ad6447b0-774f-48a1-a5da-d03c3e0b94e4" ], "threat_actors": [ { "id": "2608db3e-7f7a-42c0-922b-4c9cb22c7ce9", "created_at": "2023-01-06T13:46:38.278691Z", "updated_at": "2026-04-10T02:00:02.90849Z", "deleted_at": null, "main_name": "APT16", "aliases": [ "SVCMONDR", "G0023" ], "source_name": "MISPGALAXY:APT16", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6301aade-ca8b-431c-b5e4-1b6ddd497ffc", "created_at": "2022-10-25T16:07:23.328033Z", "updated_at": "2026-04-10T02:00:04.544144Z", "deleted_at": null, "main_name": "APT 16", "aliases": [ "APT 16", "G0023", "SVCMONDR" ], "source_name": "ETDA:APT 16", "tools": [ "ELMER", "Elmost", "IRONHALO", "SVCMONDR" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434629, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d0b6abfd60b7790bb27fd0957df5e5cf8285eba.pdf", "text": "https://archive.orkl.eu/9d0b6abfd60b7790bb27fd0957df5e5cf8285eba.txt", "img": "https://archive.orkl.eu/9d0b6abfd60b7790bb27fd0957df5e5cf8285eba.jpg" } }