{
	"id": "f2b57e51-841a-4268-89ec-8c722db3a9c5",
	"created_at": "2026-04-06T03:36:17.150337Z",
	"updated_at": "2026-04-10T13:12:45.072165Z",
	"deleted_at": null,
	"sha1_hash": "a01abe3b27be0a1bfaa33f0d006a30182b4dae36",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51508,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 03:00:03 UTC\r\n APT group: WIRTE Group\r\nNames\r\nWIRTE Group (LAB52)\r\nWhite Dev 21 (PWC)\r\nG0090 (MITRE)\r\nCountry [Middle East]\r\nSponsor Hamas\r\nMotivation Information theft and espionage, Sabotage and destruction\r\nFirst seen 2018\r\nDescription\r\n(LAB52) The DFIR (Digital Forensics and Incident Response) team of S2 Grupo\r\nfirst identified this actor in August 2018 and since then the follow-up has been\r\ncarried out during the last few months.\r\nThis group attacks the Middle East and does not use very sophisticated mechanisms,\r\nat least in the campaign started in August 2018 which was monitored. It is\r\nconsidered unsophisticated by the fact that the scripts are unobtrusive,\r\ncommunications go unencrypted by HTTP, they use Powershell (increasingly\r\nmonitored), and so on. Despite this apparently unsophisticated modus operandi\r\ncompared to other actors, they manage to infect their victims and carry out their\r\nobjectives. In addition, as will be seen during the report, the detection rate of some\r\nof the scripts in December 2018 by the main antivirus manufacturers is low, an\r\naspect that must be highlighted. We must be aware that once these scripts are\r\nexecuted, it is when the behavior analysis of many solutions will detect them, but\r\nthis fact has not been studied by LAB52.\r\nThis actor in all the artifacts analyzed shows his victims a decoy document in Arabic\r\nwith different themes.\r\nObserved\r\nSectors: Defense, Government and diplomats.\r\nCountries: Egypt, Iraq, Israel, Jordan, Lebanon, Saudi Arabia and Palestinian\r\nAuthority.\r\nTools used\r\nEmpireProject, H-Worm, SameCoin, Living off the Land and several VBScript,\r\nPowerShell and VBA scripts.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=11af3547-2172-45ce-8d33-721c3d39bbc9\r\nPage 1 of 2\n\nOperations performed Feb 2024\nHamas-affiliated Threat Actor WIRTE Continues its Middle East\nOperations and Moves to Disruptive Activity\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=11af3547-2172-45ce-8d33-721c3d39bbc9\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=11af3547-2172-45ce-8d33-721c3d39bbc9\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=11af3547-2172-45ce-8d33-721c3d39bbc9"
	],
	"report_names": [
		"showcard.cgi?u=11af3547-2172-45ce-8d33-721c3d39bbc9"
	],
	"threat_actors": [
		{
			"id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8",
			"created_at": "2022-10-25T15:50:23.798666Z",
			"updated_at": "2026-04-10T02:00:05.255838Z",
			"deleted_at": null,
			"main_name": "WIRTE",
			"aliases": [
				"WIRTE"
			],
			"source_name": "MITRE:WIRTE",
			"tools": [
				"LitePower",
				"Ferocious"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d",
			"created_at": "2023-11-14T02:00:07.079123Z",
			"updated_at": "2026-04-10T02:00:03.444083Z",
			"deleted_at": null,
			"main_name": "WIRTE",
			"aliases": [
				"Ashen Lepus"
			],
			"source_name": "MISPGALAXY:WIRTE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bad0c51-0d2b-4f04-b355-f88c960db813",
			"created_at": "2025-08-07T02:03:24.546734Z",
			"updated_at": "2026-04-10T02:00:03.691101Z",
			"deleted_at": null,
			"main_name": "ALUMINUM THORN",
			"aliases": [
				"Frankenstein ",
				"WIRTE "
			],
			"source_name": "Secureworks:ALUMINUM THORN",
			"tools": [
				"FruityC2",
				"PowerShell Empire"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa5c2fa9-e018-484b-9f4a-0ef76ebbbf57",
			"created_at": "2022-10-25T16:07:24.41839Z",
			"updated_at": "2026-04-10T02:00:04.982315Z",
			"deleted_at": null,
			"main_name": "WIRTE Group",
			"aliases": [
				"G0090",
				"White Dev 21"
			],
			"source_name": "ETDA:WIRTE Group",
			"tools": [
				"EmPyre",
				"EmpireProject",
				"H-Worm",
				"H-Worm RAT",
				"Houdini",
				"Houdini RAT",
				"Hworm",
				"Iniduoh",
				"Jenxcus",
				"Kognito",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Njw0rm",
				"PowerShell Empire",
				"SameCoin",
				"WSHRAT",
				"dinihou",
				"dunihi"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446577,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a01abe3b27be0a1bfaa33f0d006a30182b4dae36.pdf",
		"text": "https://archive.orkl.eu/a01abe3b27be0a1bfaa33f0d006a30182b4dae36.txt",
		"img": "https://archive.orkl.eu/a01abe3b27be0a1bfaa33f0d006a30182b4dae36.jpg"
	}
}