{
	"id": "fb5602c1-0c00-43a8-b3ff-f840bfa04cfc",
	"created_at": "2026-04-06T00:22:12.533421Z",
	"updated_at": "2026-04-10T03:29:45.252772Z",
	"deleted_at": null,
	"sha1_hash": "a179d9d4fe79bcbf27290dbea490c22822069b65",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59491,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:34:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DOUBLEFANTASY\n Tool: DOUBLEFANTASY\nNames\nDOUBLEFANTASY\nDoubleFantasy\nVALIDATOR\nCategory Malware\nType Reconnaissance, Downloader\nDescription\n(Kaspersky) The Equation Group’s DoubleFantasy implant is a validator-style Trojan which\nsends basic information about the system to the attackers. It also allows them to upload a more\nsophisticated Trojan platform, such as EQUATIONDRUG or GRAYFISH. In general, after\none of these sophisticated platforms are installed, the attackers remove the DoubleFantasy\nimplant. In case the victim doesn’t check out, for example, if they are a researcher analysing\nthe malware, the attackers can simply choose to uninstall the DoubleFantasy implant and clean\nup the victim’s machine.\nInformation\nMalpedia\nLast change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool DOUBLEFANTASY\nChanged Name Country Observed\nAPT groups\n Equation Group 2001-Aug 2016\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e44cd7d-5496-4c09-9a9f-d823f9637796\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e44cd7d-5496-4c09-9a9f-d823f9637796\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e44cd7d-5496-4c09-9a9f-d823f9637796\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7e44cd7d-5496-4c09-9a9f-d823f9637796"
	],
	"report_names": [
		"listgroups.cgi?u=7e44cd7d-5496-4c09-9a9f-d823f9637796"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434932,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a179d9d4fe79bcbf27290dbea490c22822069b65.pdf",
		"text": "https://archive.orkl.eu/a179d9d4fe79bcbf27290dbea490c22822069b65.txt",
		"img": "https://archive.orkl.eu/a179d9d4fe79bcbf27290dbea490c22822069b65.jpg"
	}
}