{ "id": "d0686e11-322f-4d1a-a012-0f9436f2c5e4", "created_at": "2026-04-06T00:11:24.05994Z", "updated_at": "2026-04-10T13:12:30.193647Z", "deleted_at": null, "sha1_hash": "aaea9b8bcd41043cd4b904dac9c4947091760c2d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48071, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:49:21 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PowerTrick\n Tool: PowerTrick\nNames PowerTrick\nCategory Malware\nType Backdoor\nDescription\n(SentinelLabs) SentinelLabs research into this PowerShell-based backdoor called\n“PowerTrick” traces back to the initial infection, we assess with high confidence at least some\nof the initial PowerTrick infections are being kicked off as a PowerShell task through normal\nTrickBot infections utilizing a repurposed backconnect module that can accept commands to\nexecute called “NewBCtest”.\nAfter the initial stager for the “PowerTrick backdoor” is kicked off, then the actor issues the\nfirst command which is to download a larger backdoor. This process is similar to what you see\nin Powershell Empire with its stager component.\nPowerTrick is designed to execute commands and return the results in Base64 format, the\nsystem uses a generated UUID based on computer information as a “botID.”\nInformation\nLast change to this tool card: 24 June 2020\nDownload this tool card in JSON format\nAll groups using tool PowerTrick\nChanged Name Country Observed\nAPT groups\n Wizard Spider, Gold Blackburn 2014-May 2025\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=48fd4d67-710f-4f16-86b8-de497183ee53\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=48fd4d67-710f-4f16-86b8-de497183ee53\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=48fd4d67-710f-4f16-86b8-de497183ee53\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=48fd4d67-710f-4f16-86b8-de497183ee53" ], "report_names": [ "listgroups.cgi?u=48fd4d67-710f-4f16-86b8-de497183ee53" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434284, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aaea9b8bcd41043cd4b904dac9c4947091760c2d.pdf", "text": "https://archive.orkl.eu/aaea9b8bcd41043cd4b904dac9c4947091760c2d.txt", "img": "https://archive.orkl.eu/aaea9b8bcd41043cd4b904dac9c4947091760c2d.jpg" } }