{ "id": "4851c5c8-3789-4446-8bd9-f5a664de343a", "created_at": "2026-04-06T00:21:50.147651Z", "updated_at": "2026-04-10T03:35:17.262025Z", "deleted_at": null, "sha1_hash": "b064f54c89dceb86d1da140dd4bb3f47b95ad8a1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49815, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:21:39 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool STEELCORGI\n Tool: STEELCORGI\nNames STEELCORGI\nCategory Malware\nType Dropper\nDescription\n(FireEye) STEELCORGI is a packer for Linux ELF programs that uses key material from the\nexecuting environment to decrypt the payload. When first starting up, the malware expects to\nfind up to four environment variables that contain numeric values. The malware uses the\nenvironment variable values as a key to decrypt additional data to be executed.\nInformation\nMalpedia Last change to this tool card: 05 April 2022\nDownload this tool card in JSON format\nAll groups using tool STEELCORGI\nChanged Name Country Observed\nAPT groups\n LightBasin 2016\n UNC2891 [Unknown] 2020\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be20bbeb-da73-447b-9690-442052f15c7d\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be20bbeb-da73-447b-9690-442052f15c7d\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be20bbeb-da73-447b-9690-442052f15c7d" ], "report_names": [ "listgroups.cgi?u=be20bbeb-da73-447b-9690-442052f15c7d" ], "threat_actors": [ { "id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8", "created_at": "2022-10-25T16:07:24.364598Z", "updated_at": "2026-04-10T02:00:04.955871Z", "deleted_at": null, "main_name": "UNC2891", "aliases": [], "source_name": "ETDA:UNC2891", "tools": [ "BINBASH", "CAKETAP", "MIGLOGCLEANER", "SLAPSTICK", "STEELCORGI", "STEELHOUND", "SUN4ME", "Tiny SHell", "WINGCRACK", "WINGHOOK", "WIPERIGHT", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434910, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b064f54c89dceb86d1da140dd4bb3f47b95ad8a1.pdf", "text": "https://archive.orkl.eu/b064f54c89dceb86d1da140dd4bb3f47b95ad8a1.txt", "img": "https://archive.orkl.eu/b064f54c89dceb86d1da140dd4bb3f47b95ad8a1.jpg" } }