{ "id": "135f6bb3-5438-4182-80e8-fc81647f2e9f", "created_at": "2026-04-06T00:13:42.953002Z", "updated_at": "2026-04-10T03:35:17.318149Z", "deleted_at": null, "sha1_hash": "b3cb5bc11a02c31991912dd43d95be34d67ca27a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49240, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:55:24 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LEMONSTICK\r\n Tool: LEMONSTICK\r\nNames LEMONSTICK\r\nCategory Malware\r\nType Backdoor, Tunneling\r\nDescription\r\n(FireEye) LEMONSTICK is a Linux executable command line utility with backdoor\r\ncapabilities. The backdoor can execute files, transfer files, and tunnel connections.\r\nLEMONSTICK can be started in two different ways: passing the `-c` command line argument\r\n(with an optional file) and setting the ‘OCB’ environment variable. When started with the `-c`\r\ncommand line argument, LEMONSTICK spawns an interactive shell. When started in OCB\r\nmode, LEMONSTICK expects to read from STDIN. The STDIN data is expected to be\r\nencrypted with the blowfish algorithm. After decrypting, it dispatches commands based on the\r\nname—for example: ‘executes terminal command’, ‘connect to remote system’, ‘send \u0026\r\nretrieve file’, ‘create socket connection’.\r\nInformation \u003chttps://www.mandiant.com/resources/live-off-the-land-an-overview-of-unc1945\u003e\r\nLast change to this tool card: 03 April 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool LEMONSTICK\r\nChanged Name Country Observed\r\nAPT groups\r\n  LightBasin 2016  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=302afb62-797f-4e51-a073-f193e9e0030f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=302afb62-797f-4e51-a073-f193e9e0030f\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=302afb62-797f-4e51-a073-f193e9e0030f" ], "report_names": [ "listgroups.cgi?u=302afb62-797f-4e51-a073-f193e9e0030f" ], "threat_actors": [ { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3cb5bc11a02c31991912dd43d95be34d67ca27a.pdf", "text": "https://archive.orkl.eu/b3cb5bc11a02c31991912dd43d95be34d67ca27a.txt", "img": "https://archive.orkl.eu/b3cb5bc11a02c31991912dd43d95be34d67ca27a.jpg" } }