{
	"id": "11041ebb-1e40-473f-8b51-0ded69c2a46c",
	"created_at": "2026-04-06T00:07:07.857235Z",
	"updated_at": "2026-04-10T03:23:15.574417Z",
	"deleted_at": null,
	"sha1_hash": "acb8130d853d0199c8839ddf995ac13175a6aa79",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47596,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 11:00:03 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Metel\n Tool: Metel\nNames Metel\nCategory Malware\nType Reconnaissance, Backdoor, Credential stealer, Info stealer\nDescription\n(Kaspersky) Metel, the Russian word for blizzard, burrows its way into a financial\norganization using cleverly crafted spear phishing emails laced with malware, or luring victims\nto sites hosting the Niteris EK. The malware steals system information including process lists\nand screenshots, sending it to the attackers who evaluate whether the infected machine is\ninteresting enough load the remainder of the Metel malware package.\nThe malware contains more than 30 modules—some homemade, some taken from publicly\navailable sources. The attackers also use legitimate pen-testing tools such as mimikatz, which\nis freely available and used by analysts to extract plaintext passwords, hashes, PIN codes and\nKerberos tickets from the memory of Windows machines.\nUsing this stolen data, the attackers are available to pivot internally, stealing credentials until\nthey landed on a domain controller. With the reins of a domain controller, the attackers could\nextend their reach onto any machine.\nInformation\nLast change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool Metel\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97eaa90-0c9a-4655-a212-01173f31b286\nPage 1 of 2\n\nCorkow, Metel 2011  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97eaa90-0c9a-4655-a212-01173f31b286\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97eaa90-0c9a-4655-a212-01173f31b286\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a97eaa90-0c9a-4655-a212-01173f31b286"
	],
	"report_names": [
		"listgroups.cgi?u=a97eaa90-0c9a-4655-a212-01173f31b286"
	],
	"threat_actors": [
		{
			"id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa",
			"created_at": "2022-10-25T16:07:23.494355Z",
			"updated_at": "2026-04-10T02:00:04.629595Z",
			"deleted_at": null,
			"main_name": "Corkow",
			"aliases": [
				"Corkow",
				"Metel"
			],
			"source_name": "ETDA:Corkow",
			"tools": [
				"Corkow",
				"Metel"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434027,
	"ts_updated_at": 1775791395,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/acb8130d853d0199c8839ddf995ac13175a6aa79.pdf",
		"text": "https://archive.orkl.eu/acb8130d853d0199c8839ddf995ac13175a6aa79.txt",
		"img": "https://archive.orkl.eu/acb8130d853d0199c8839ddf995ac13175a6aa79.jpg"
	}
}