{ "id": "090f0800-0031-4854-8def-c834a7578b86", "created_at": "2026-04-06T00:14:38.046729Z", "updated_at": "2026-04-10T03:24:56.624421Z", "deleted_at": null, "sha1_hash": "a3c7149e13cbc5f112f6ca630f402931b5c8b209", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47346, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 12:58:05 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SodomNormal\r\n Tool: SodomNormal\r\nNames SodomNormal\r\nCategory Malware\r\nType Exfiltration, Tunneling\r\nDescription\r\n(Proofpoint) The SodomNormal Communications module runs within the libcurl.dll loader as\r\na loaded DLL. Its primary function is to communicate data gathered by the SodomMain remote\r\naccess Trojan module with the GUP Proxy Tool. It attempts to acquire an existing\r\nconfiguration from the file sodom.ini. However, it appears the configuration is dropped in the\r\nfile sodom.txt instead. If that configuration is not available, it utilizes a hardcoded\r\nconfiguration in the binary.\r\nThe tool uses a custom binary protocol over sockets for its command and control\r\ncommunication with the GUP Proxy Tool and all transferred data is encrypted using a\r\nmodified version of RC4 encryption. It has limited functionality which includes an initial\r\nbeacon, an initial beacon response that includes encoded data containing the SodomMain RAT,\r\nand a command poll which passes header and decrypted data in an exported function enabling\r\nthe SodomMain RAT to run.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool SodomNormal\r\nChanged Name Country Observed\r\nAPT groups\r\n  LookBack, TA410 [Unknown] 2019-Feb 2022  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47" ], "report_names": [ "listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434478, "ts_updated_at": 1775791496, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3c7149e13cbc5f112f6ca630f402931b5c8b209.pdf", "text": "https://archive.orkl.eu/a3c7149e13cbc5f112f6ca630f402931b5c8b209.txt", "img": "https://archive.orkl.eu/a3c7149e13cbc5f112f6ca630f402931b5c8b209.jpg" } }