{ "id": "261e80e2-a4c2-4936-a111-1573dd39eeb1", "created_at": "2026-04-06T00:18:15.314407Z", "updated_at": "2026-04-10T03:25:29.887418Z", "deleted_at": null, "sha1_hash": "a3a4abb02000ee738f9a7f34944e8f683017748e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54639, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:27:09 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ShellClient\r\n Tool: ShellClient\r\nNames ShellClient\r\nCategory Malware\r\nType Exfiltration\r\nDescription\r\n(Cybereason) The investigation into Operation GhostShell also revealed that ShellClient dates\r\nback to at least 2018, and has been continuously evolving ever since while successfully\r\nevading most security tools and remaining completely unknown. By studying the ShellClient\r\ndevelopment cycles, the researchers were able to observe how ShellClient has morphed over\r\ntime from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber\r\nespionage operations while remaining undetected.\r\nThe most recent ShellClient versions observed in Operation GhostShell follow the trend of\r\nabusing cloud-based storage services, in this case the popular Dropbox service. The\r\nShellClient authors chose to abandon their previous C2 domain and replace the command and\r\ncontrol mechanism of the malware with a more simple yet more stealthy C2 channel using\r\nDropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend\r\nhas been increasingly adopted by many threat actors due to its simplicity and the ability to\r\neffectively blend in with legitimate network traffic.\r\nInformation\r\n\u003chttps://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\u003e\r\nLast change to this tool card: 02 November 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool ShellClient\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ee4d9bc0-74e7-4547-b189-5c25c86ee2ed\r\nPage 1 of 2\n\nMalKamak 2018  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ee4d9bc0-74e7-4547-b189-5c25c86ee2ed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ee4d9bc0-74e7-4547-b189-5c25c86ee2ed\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ee4d9bc0-74e7-4547-b189-5c25c86ee2ed" ], "report_names": [ "listgroups.cgi?u=ee4d9bc0-74e7-4547-b189-5c25c86ee2ed" ], "threat_actors": [ { "id": "8205484f-7cf2-4b43-b2de-c1a500ae310e", "created_at": "2022-10-25T16:07:23.861533Z", "updated_at": "2026-04-10T02:00:04.764666Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [ "Operation GhostShell" ], "source_name": "ETDA:MalKamak", "tools": [ "PAExec", "SafetyKatz", "ShellClient", "WinRAR" ], "source_id": "ETDA", "reports": null }, { "id": "7261dbea-1283-4a30-8da6-c30ccfc25024", "created_at": "2023-11-30T02:00:07.289432Z", "updated_at": "2026-04-10T02:00:03.481506Z", "deleted_at": null, "main_name": "MalKamak", "aliases": [], "source_name": "MISPGALAXY:MalKamak", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434695, "ts_updated_at": 1775791529, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3a4abb02000ee738f9a7f34944e8f683017748e.pdf", "text": "https://archive.orkl.eu/a3a4abb02000ee738f9a7f34944e8f683017748e.txt", "img": "https://archive.orkl.eu/a3a4abb02000ee738f9a7f34944e8f683017748e.jpg" } }