{ "id": "7ca4d82b-bda3-41b7-9465-987481fd9d33", "created_at": "2026-04-06T00:15:28.666175Z", "updated_at": "2026-04-10T03:25:07.904902Z", "deleted_at": null, "sha1_hash": "b5219bc3ba6368b3316c76a95b2c00532e37a03b", "title": "Remote CMD/PowerShell terminal - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48278, "plain_text": "Remote CMD/PowerShell terminal - Threat Group Cards: A\nThreat Actor Encyclopedia\nArchived: 2026-04-05 18:51:51 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Remote CMD/PowerShell terminal\n Tool: Remote CMD/PowerShell terminal\nNames Remote CMD/PowerShell terminal\nCategory Malware\nType Reconnaissance, Backdoor\nDescription\n(Kaspersky) The malware was first seen packed with VMProtect; when unpacked the sample\ndidn’t show any similarities with previously known malware. All the strings and settings were\nencrypted and obfuscated. Functionality was identified that enables HTTP communication\nwith the C\u0026C server and invokes “processcreate” based on parameters received as a response.\nThe configuration and strings are encrypted using 3DES and Base64 encoding. Data sent to the\nC\u0026C server is also encrypted using 3DES and Base64. Different keys are used for local and\nnetwork encryption.\nThe malware starts communicating with the C\u0026C server by sending basic information about\nthe infected machine. The C\u0026C server then replies with the encrypted serialized configuration.\nThe malware basically provides a remote CMD/PowerShell terminal for the attackers,\nenabling them to execute scripts/commands and receive the results via HTTP requests.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool Remote CMD/PowerShell terminal\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d67dfeb0-ad1f-48f7-ac1e-8d932318b044\nPage 1 of 2\n\nOperation Parliament [Unknown] 2017  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d67dfeb0-ad1f-48f7-ac1e-8d932318b044\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d67dfeb0-ad1f-48f7-ac1e-8d932318b044\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d67dfeb0-ad1f-48f7-ac1e-8d932318b044" ], "report_names": [ "listgroups.cgi?u=d67dfeb0-ad1f-48f7-ac1e-8d932318b044" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434528, "ts_updated_at": 1775791507, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5219bc3ba6368b3316c76a95b2c00532e37a03b.pdf", "text": "https://archive.orkl.eu/b5219bc3ba6368b3316c76a95b2c00532e37a03b.txt", "img": "https://archive.orkl.eu/b5219bc3ba6368b3316c76a95b2c00532e37a03b.jpg" } }