{ "id": "10b20243-874c-494f-b201-16d9181185c0", "created_at": "2026-04-06T00:07:05.558967Z", "updated_at": "2026-04-10T03:33:23.754196Z", "deleted_at": null, "sha1_hash": "a44cb0cb381c9dbef6b6fa07464cb1dffa794fa5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54682, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 12:19:04 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Infostealer\r\n Tool: Infostealer\r\nNames\r\nInfostealer\r\nstereoversioncontrol\r\nCategory Malware\r\nType Reconnaissance, Info stealer\r\nDescription\r\n(FireEye) Infostealer/stereoversioncontrol.exe downloads a RAR file, as well as the get-logon-history.ps1 tool. It runs several commands on the infected machine to gather information about\r\nit and also the Firefox data of all users of the machine. It then compresses this information\r\nbefore transferring it to a remote directory. Infostealer/Sha.exe/Sha432.exe operates in a\r\nsimilar manner, gathering information about the infected machine.\r\nInformation\r\n\u003chttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Infostealer\r\nChanged Name Country Observed\r\nAPT groups\r\n  Tortoiseshell, Imperial Kitten 2018-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37806589-2fd5-4d04-aed6-f1d7bb633263\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37806589-2fd5-4d04-aed6-f1d7bb633263\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=37806589-2fd5-4d04-aed6-f1d7bb633263" ], "report_names": [ "listgroups.cgi?u=37806589-2fd5-4d04-aed6-f1d7bb633263" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434025, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a44cb0cb381c9dbef6b6fa07464cb1dffa794fa5.pdf", "text": "https://archive.orkl.eu/a44cb0cb381c9dbef6b6fa07464cb1dffa794fa5.txt", "img": "https://archive.orkl.eu/a44cb0cb381c9dbef6b6fa07464cb1dffa794fa5.jpg" } }