{ "id": "37b38b45-db6e-4e91-b2c8-8b2695938eb3", "created_at": "2026-04-06T00:15:44.668239Z", "updated_at": "2026-04-10T13:11:41.750422Z", "deleted_at": null, "sha1_hash": "b9a330887435324fcd2dd3bcd3d48628b9c6b7d6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44755, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:42:38 UTC\r\n APT group: UNC2891\r\nNames UNC2891 (Mandiant)\r\nCountry [Unknown]\r\nMotivation Financial gain\r\nFirst seen 2020\r\nDescription\r\n(Mandiant) The Mandiant Advanced Practices team previously published a threat research\r\nblog post that provided an overview of UNC1945 (LightBasin) operations where the actor\r\ncompromised managed services providers to gain access to targets in the financial and\r\nprofessional consulting industries.\r\nSince that time, Mandiant has investigated and attributed several intrusions to a threat cluster\r\nwe believe has a nexus to this actor, currently being tracked as UNC2891. Through these\r\ninvestigations, Mandiant has discovered additional techniques, malware, and utilities being\r\nused by UNC2891 alongside those previously observed in use by UNC1945. Despite having\r\nidentified significant overlaps between these threat clusters, Mandiant has not determined they\r\nare attributable to the same actor.\r\nObserved Sectors: Financial.\r\nTools used\r\nBINBASH, CAKETAP, MIGLOGCLEANER, SLAPSTICK, STEELCORGI,\r\nSTEELHOUND, SUN4ME, Tiny SHell, WINGCRACK, WINGHOOK, WIPERIGHT.\r\nInformation \u003chttps://www.mandiant.com/resources/unc2891-overview\u003e\r\nLast change to this card: 03 April 2022\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d2fd8a6e-0f59-4f61-b42c-17b66cc17c9 1\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d2fd8a6e-0f59-4f61-b42c-17b66cc17c9 1\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d2fd8a6e-0f59-4f61-b42c-17b66cc17c9 1" ], "report_names": [ "showcard.cgi?u=d2fd8a6e-0f59-4f61-b42c-17b66cc17c9 1" ], "threat_actors": [ { "id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8", "created_at": "2022-10-25T16:07:24.364598Z", "updated_at": "2026-04-10T02:00:04.955871Z", "deleted_at": null, "main_name": "UNC2891", "aliases": [], "source_name": "ETDA:UNC2891", "tools": [ "BINBASH", "CAKETAP", "MIGLOGCLEANER", "SLAPSTICK", "STEELCORGI", "STEELHOUND", "SUN4ME", "Tiny SHell", "WINGCRACK", "WINGHOOK", "WIPERIGHT", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434544, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9a330887435324fcd2dd3bcd3d48628b9c6b7d6.pdf", "text": "https://archive.orkl.eu/b9a330887435324fcd2dd3bcd3d48628b9c6b7d6.txt", "img": "https://archive.orkl.eu/b9a330887435324fcd2dd3bcd3d48628b9c6b7d6.jpg" } }