{
	"id": "98a75276-ae83-4791-ace9-de419a204dbb",
	"created_at": "2026-04-06T00:11:05.346657Z",
	"updated_at": "2026-04-10T03:29:58.03464Z",
	"deleted_at": null,
	"sha1_hash": "ba6d2c3153ce232372e1fafd06e16f8b93ea558b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54778,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:27:39 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool DmaUp3.exe\r\n Tool: DmaUp3.exe\r\nNames DmaUp3.exe\r\nCategory Malware\r\nType Reconnaissance, Credential stealer\r\nDescription\r\n(Kaspersky) The module collects information about current system which includes the\r\nfollowing:\r\n• Network adapter MAC address\r\n• CPU Name and Identifier\r\n• System default codepage\r\n• Windows OS and Service Pack versions\r\n• Hostname and IP address\r\n• Local user name\r\n• Cached passwords for Internet Explorer 6/7/8/9 (Protected Storage and IntelliForms)\r\n• Mozilla Firefox stored secrets (\u003c12.0)\r\n• Chrome stored secrets\r\n• MS Outlook Express accounts\r\n• MS Windows Mail accounts\r\n• MS Windows Live Mail accounts\r\n• MS Outlook accounts (SMTP/IMAP/POP3/HTTP)\r\n• MSN Messenger\r\n• Gmail Nofifier credentials\r\n• Google Desktop accounts\r\n• Google Talk accounts\r\nIf the module reveals that current System default codepage is 0412 (Korean) it terminates.\r\nInformation\r\n\u003chttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070901/darkhotelappendixindicators_kl.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c4e969d2-f993-4a23-8cc9-7b117f14182e\r\nPage 1 of 2\n\nAll groups using tool DmaUp3.exe\r\nChanged Name Country Observed\r\nAPT groups\r\n  DarkHotel 2007-2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c4e969d2-f993-4a23-8cc9-7b117f14182e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c4e969d2-f993-4a23-8cc9-7b117f14182e\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c4e969d2-f993-4a23-8cc9-7b117f14182e"
	],
	"report_names": [
		"listgroups.cgi?u=c4e969d2-f993-4a23-8cc9-7b117f14182e"
	],
	"threat_actors": [
		{
			"id": "1dadf04e-d725-426f-9f6c-08c5be7da159",
			"created_at": "2022-10-25T15:50:23.624538Z",
			"updated_at": "2026-04-10T02:00:05.286895Z",
			"deleted_at": null,
			"main_name": "Darkhotel",
			"aliases": [
				"Darkhotel",
				"DUBNIUM",
				"Zigzag Hail"
			],
			"source_name": "MITRE:Darkhotel",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b13c19d6-247d-47ba-86ba-15a94accc179",
			"created_at": "2024-05-01T02:03:08.149923Z",
			"updated_at": "2026-04-10T02:00:03.763147Z",
			"deleted_at": null,
			"main_name": "TUNGSTEN BRIDGE",
			"aliases": [
				"APT-C-06 ",
				"ATK52 ",
				"CTG-1948 ",
				"DUBNIUM ",
				"DarkHotel ",
				"Fallout Team ",
				"Shadow Crane ",
				"Zigzag Hail "
			],
			"source_name": "Secureworks:TUNGSTEN BRIDGE",
			"tools": [
				"Nemim",
				"Tapaoux"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2b4eec94-7672-4bee-acb2-b857d0d26d12",
			"created_at": "2023-01-06T13:46:38.272109Z",
			"updated_at": "2026-04-10T02:00:02.906089Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"T-APT-02",
				"Nemim",
				"Nemin",
				"Shadow Crane",
				"G0012",
				"DUBNIUM",
				"Karba",
				"APT-C-06",
				"SIG25",
				"TUNGSTEN BRIDGE",
				"Zigzag Hail",
				"Fallout Team",
				"Luder",
				"Tapaoux",
				"ATK52"
			],
			"source_name": "MISPGALAXY:DarkHotel",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434265,
	"ts_updated_at": 1775791798,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba6d2c3153ce232372e1fafd06e16f8b93ea558b.pdf",
		"text": "https://archive.orkl.eu/ba6d2c3153ce232372e1fafd06e16f8b93ea558b.txt",
		"img": "https://archive.orkl.eu/ba6d2c3153ce232372e1fafd06e16f8b93ea558b.jpg"
	}
}