{ "id": "4cb60e70-0ffc-463f-b836-47a263cd2e14", "created_at": "2026-04-06T03:35:33.740467Z", "updated_at": "2026-04-10T13:12:24.895131Z", "deleted_at": null, "sha1_hash": "a093c9e6ab6deeeb52af87e7795962c675325080", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54439, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 02:57:41 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cl Wiper\n Tool: Cl Wiper\nNames Cl Wiper\nCategory Malware\nType Wiper\nDescription\n(Check Point) How it works: cl.exe gets arguments from the command line and uses a\nlegitimate driver by ElRawDisk, called rwdsk.sys. The use of ElRawDisk is relatively\ncommon among wipers and has been previously used by several wiper families, some of them\nassociated with Iranian actors. Additionally, the license key used in the wiper is the same as\nthe one used in the ZeroCleare wiper, which is known to be used by several actors with links\nto MOIS. ElRawDisk enables interaction with files, disks, and partitions, proxying the wiping\nprocedures and allowing raw access to the disk.\nInformation\nLast change to this tool card: 18 June 2024\nDownload this tool card in JSON format\nAll groups using tool Cl Wiper\nChanged Name Country Observed\nAPT groups\n HomeLand Justice 2022-Jan 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4b8d6551-2aed-451d-adc9-7070a040f833\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4b8d6551-2aed-451d-adc9-7070a040f833\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4b8d6551-2aed-451d-adc9-7070a040f833" ], "report_names": [ "listgroups.cgi?u=4b8d6551-2aed-451d-adc9-7070a040f833" ], "threat_actors": [ { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446533, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a093c9e6ab6deeeb52af87e7795962c675325080.pdf", "text": "https://archive.orkl.eu/a093c9e6ab6deeeb52af87e7795962c675325080.txt", "img": "https://archive.orkl.eu/a093c9e6ab6deeeb52af87e7795962c675325080.jpg" } }