{ "id": "8effba20-2931-427a-9d8a-bea59b4509da", "created_at": "2026-04-06T00:21:05.100616Z", "updated_at": "2026-04-10T03:32:49.931752Z", "deleted_at": null, "sha1_hash": "ac9b4cd7899dba771afe3acf812ae8e13b93caf9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48882, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:09:11 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Sysmain\r\n Tool: Sysmain\r\nNames Sysmain\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(Kaspersky) The autonomous part of Sysmain installs and registers itself to be persistent in the\r\nsystem. Then it gathers general information about the victims system, like\r\n• User- and computer names\r\n• Locale information\r\n• Network- and drive status\r\n• Default browsers\r\n• Running processes\r\n• File listing of the users profile directory.\r\nWhen ready, this data is submitted to one of the C\u0026C-servers. After that, it checks periodically\r\nfor new commands from C\u0026C (pulling via HTTP).\r\nWith a set of 11 commands, the malware is able to:\r\n• Execute shell-commands\r\n• Launch additional executables or libraries (sent by the attacker)\r\n• Collect arbitrary files for later exfiltration\r\n• Examine the victim’s filesystem.\r\nThere are also commands used for maintenance purposes. Among others, there are commands\r\nto change the pubkey for C\u0026C-communication or delete its traces in the registry.\r\nInformation\r\n\u003chttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080817/EB-YetiJuly2014-Public.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Sysmain\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0290ce40-4114-48ba-a170-d1c40ca57a7d\r\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Energetic Bear, Dragonfly 2010-Mar 2022\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0290ce40-4114-48ba-a170-d1c40ca57a7d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0290ce40-4114-48ba-a170-d1c40ca57a7d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0290ce40-4114-48ba-a170-d1c40ca57a7d" ], "report_names": [ "listgroups.cgi?u=0290ce40-4114-48ba-a170-d1c40ca57a7d" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434865, "ts_updated_at": 1775791969, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac9b4cd7899dba771afe3acf812ae8e13b93caf9.pdf", "text": "https://archive.orkl.eu/ac9b4cd7899dba771afe3acf812ae8e13b93caf9.txt", "img": "https://archive.orkl.eu/ac9b4cd7899dba771afe3acf812ae8e13b93caf9.jpg" } }