{ "id": "1fd1d3c7-370a-48d8-b61c-44ec85a42307", "created_at": "2026-04-06T00:17:01.363438Z", "updated_at": "2026-04-10T03:37:51.310683Z", "deleted_at": null, "sha1_hash": "b6e7cdf2327dc632a3ea20b91d4e274fece93e2d", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51432, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:27:40 UTC\n Tool: Rook\nNames Rook\nCategory Malware\nType Ransomware\nDescription\nAccording to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encryptin\nfile/ransom note ('HowToRestoreYourFiles.txt'). Rook renames files by appending the '.Rook' extension. For example, it renames '1.jpg'\nInformation\nMalpedia Last change to this tool card: 30 November 2023\nDownload this tool card in JSON format\nAll groups using tool Rook\nChanged Name Country Observed\nAPT groups\n Bronze Starlight 2021-Mar 2023\n1 group listed (1 APT, 0 other, 0 unknown)\n↑\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c454ae0f-ae6d-4d20-a7dc-78665a109e37\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c454ae0f-ae6d-4d20-a7dc-78665a109e37\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c454ae0f-ae6d-4d20-a7dc-78665a109e37" ], "report_names": [ "listgroups.cgi?u=c454ae0f-ae6d-4d20-a7dc-78665a109e37" ], "threat_actors": [ { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434621, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6e7cdf2327dc632a3ea20b91d4e274fece93e2d.pdf", "text": "https://archive.orkl.eu/b6e7cdf2327dc632a3ea20b91d4e274fece93e2d.txt", "img": "https://archive.orkl.eu/b6e7cdf2327dc632a3ea20b91d4e274fece93e2d.jpg" } }