{ "id": "008e81bf-e9a7-4a08-8faf-d670b64d2cb1", "created_at": "2026-04-06T00:15:55.689502Z", "updated_at": "2026-04-10T03:36:22.137508Z", "deleted_at": null, "sha1_hash": "ae7e3391dfd878c13e2b6e540cc8d8e8d558a114", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50929, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:58:13 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Cuegoe\n Tool: Cuegoe\nNames Cuegoe\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Downloader\nDescription\n(FireEye) • Command and control (C2) communications via TCP raw sockets\n• Four configured C2s and six configured ports – randomly-chosen C2/port for\ncommunications\n• Registry manipulation\n• Get the current module's file name\n• Gather system information including registry values, user name, computer name, and\ncurrent code page\n• File system interaction including directory creation, file deletion, reading, and writing\nfiles\n• Load additional modules and execute code\n• Terminate processes\n• Anti-disassembly\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 29 December 2022\nDownload this tool card in JSON format\nAll groups using tool Cuegoe\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5c526664-bbfb-4310-914a-156c0d51622d\nPage 1 of 2\n\nAPT groups\r\n  APT 32, OceanLotus, SeaLotus 2013-Aug 2024\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5c526664-bbfb-4310-914a-156c0d51622d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5c526664-bbfb-4310-914a-156c0d51622d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5c526664-bbfb-4310-914a-156c0d51622d" ], "report_names": [ "listgroups.cgi?u=5c526664-bbfb-4310-914a-156c0d51622d" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434555, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae7e3391dfd878c13e2b6e540cc8d8e8d558a114.pdf", "text": "https://archive.orkl.eu/ae7e3391dfd878c13e2b6e540cc8d8e8d558a114.txt", "img": "https://archive.orkl.eu/ae7e3391dfd878c13e2b6e540cc8d8e8d558a114.jpg" } }