{ "id": "4e41ff5d-fe2b-47fb-adf3-b665712aae06", "created_at": "2026-04-06T00:06:34.547104Z", "updated_at": "2026-04-10T13:11:52.850999Z", "deleted_at": null, "sha1_hash": "b451ef33505a0048cf7dd378edabc9988d1e7c37", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48236, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:35:34 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Slingshot\n Tool: Slingshot\nNames Slingshot\nCategory Malware\nType Loader\nDescription\n(Kaspersky) While analysing an incident which involved a suspected keylogger, we identified\na malicious library able to interact with a virtual file system, which is usually the sign of an\nadvanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’,\npart of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in\ncomplexity.\nThe initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious\none of exactly the same size. Not only that, it interacts with several other modules including a\nring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual\nfilesystem, among others.\nFollowing infection, Slingshot would load a number of modules onto the victim device,\nincluding two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a\nuser mode module. The two modules are connected and able to support each other in\ninformation gathering, persistence and data exfiltration.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Slingshot\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=24bf0029-00d6-4eb3-9410-922221a07e36\nPage 1 of 2\n\nAPT groups\r\n  Slingshot [Unknown] 2012  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=24bf0029-00d6-4eb3-9410-922221a07e36\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=24bf0029-00d6-4eb3-9410-922221a07e36\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=24bf0029-00d6-4eb3-9410-922221a07e36" ], "report_names": [ "listgroups.cgi?u=24bf0029-00d6-4eb3-9410-922221a07e36" ], "threat_actors": [ { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3", "created_at": "2023-01-06T13:46:38.995743Z", "updated_at": "2026-04-10T02:00:03.175285Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "MISPGALAXY:Slingshot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2", "created_at": "2022-10-25T16:07:24.198891Z", "updated_at": "2026-04-10T02:00:04.897342Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "ETDA:Slingshot", "tools": [ "Cahnadr", "GollumApp", "NDriver" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433994, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b451ef33505a0048cf7dd378edabc9988d1e7c37.pdf", "text": "https://archive.orkl.eu/b451ef33505a0048cf7dd378edabc9988d1e7c37.txt", "img": "https://archive.orkl.eu/b451ef33505a0048cf7dd378edabc9988d1e7c37.jpg" } }