{ "id": "c2d6491b-1957-48a2-8cc8-d8268dee7a87", "created_at": "2026-04-06T01:30:42.316814Z", "updated_at": "2026-04-10T03:30:57.994369Z", "deleted_at": null, "sha1_hash": "9e16905f4eab1336db73b610e7092a69ce65a1d1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45380, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:44:51 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BLUEAGAVE\r\n Tool: BLUEAGAVE\r\nNames BLUEAGAVE\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Mandiant) FIN13 has also extensively deployed the PowerShell passive backdoor\r\nBLUEAGAVE on target hosts when establishing an initial foothold in an environment.\r\nBLUEAGAVE utilizes the HttpListener .NET class to establish a local HTTP server on high\r\nephemeral ports (65510-65512). The backdoor listens for incoming HTTP requests to the root\r\nURI / on the established port, parses the HTTP request, and executes the URL encoded data\r\nstored within the ‘kmd’ variable of the request via the Windows Command Prompt (cmd.exe).\r\nThe output of this command is then sent back to the operator in the body of the HTTP\r\nresponse. In addition, Mandiant has identified a Perl version of BLUEAGAVE which allows\r\nFIN13 to establish a foothold on Linux systems.\r\nInformation \u003chttps://www.mandiant.com/resources/fin13-cybercriminal-mexico\u003e\r\nLast change to this tool card: 26 December 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool BLUEAGAVE\r\nChanged Name Country Observed\r\nAPT groups\r\n  FIN13 [Unknown] 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0380de25-2be3-4367-81a5-6dce337093ef\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0380de25-2be3-4367-81a5-6dce337093ef\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0380de25-2be3-4367-81a5-6dce337093ef" ], "report_names": [ "listgroups.cgi?u=0380de25-2be3-4367-81a5-6dce337093ef" ], "threat_actors": [ { "id": "575d8adf-f451-4110-b1c0-89fb463e99c0", "created_at": "2022-10-25T16:07:23.637493Z", "updated_at": "2026-04-10T02:00:04.696832Z", "deleted_at": null, "main_name": "FIN13", "aliases": [], "source_name": "ETDA:FIN13", "tools": [ "BLUEAGAVE", "BUSTEDPIPE", "CLOSEWATCH", "GetUserSPNS.vbs", "GoBot2", "HOTLANE", "JSPRAT", "MAILSLOT", "PowerSploit", "ProcDump", "SHELLSWEEP", "SIXPACK", "SPINOFF", "SWEARJAR", "Tiny SHell", "nmap", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "7aa1288a-61ec-4793-b543-9fedc26b9b03", "created_at": "2023-11-01T02:01:06.805323Z", "updated_at": "2026-04-10T02:00:05.331884Z", "deleted_at": null, "main_name": "FIN13", "aliases": [ "FIN13", "Elephant Beetle" ], "source_name": "MITRE:FIN13", "tools": [ "Impacket", "Mimikatz", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "f57e32ac-9f90-471d-93ba-7f6d8b05e6c1", "created_at": "2023-01-06T13:46:39.29882Z", "updated_at": "2026-04-10T02:00:03.279184Z", "deleted_at": null, "main_name": "FIN13", "aliases": [ "TG2003", "Elephant Beetle" ], "source_name": "MISPGALAXY:FIN13", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439042, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e16905f4eab1336db73b610e7092a69ce65a1d1.pdf", "text": "https://archive.orkl.eu/9e16905f4eab1336db73b610e7092a69ce65a1d1.txt", "img": "https://archive.orkl.eu/9e16905f4eab1336db73b610e7092a69ce65a1d1.jpg" } }