{ "id": "14e45dda-08ad-4f54-91a7-ba9cda8da848", "created_at": "2026-04-06T00:16:22.832528Z", "updated_at": "2026-04-10T03:33:13.924994Z", "deleted_at": null, "sha1_hash": "be64985f0155780b41be23320dd32acd56838cba", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47856, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:23:09 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Powersing\n Tool: Powersing\nNames Powersing\nCategory Malware\nType Backdoor, Info stealer\nDescription\n(Kaspersky) • Stage 0’s role is to extract and execute the next element of the chain, as well as a\ndecoy document embedded inside the LNK file to display to the user. This creates the illusion\nof having clicked on a real document and ensures the victim doesn’t get suspicious.\n• Stage 1 is a PowerShell script containing C# assembly designed to connect to a dead drop\nresolver (more on this in the next paragraph) and obtain cryptographic material used to decode\nthe last stage of the chain by extracting a “DLL” file from the shortcut and locating a Base64-\nencoded list of URLs at a fixed offset. This establishes persistence by creating a shortcut\n(using the dropped icon) in the Windows startup folder pointing to the VBE startup script.\n• Finally, on stage 2, the actual malware implant used to take control of the victim’s machine.\nIt connects to one of the dead drop resolvers to get the address of the real C\u0026C server and\nenters a loop that looks for orders every few seconds.\n• Upon system restart, the VBE startup script – which closely resembles stage 0 – is\nautomatically executed, once again leading all the way to Powersing stage 2.\nCommunications with the C\u0026C server involve the exchange of JSON-encoded objects.\nPowersing only has two tasks:\n• Capture periodic screenshots from the victim’s machine, which are immediately sent to the\nC\u0026C server (two built-in commands allow operators to change screenshot quality and\nperiodicity)\n• Execute arbitrary Powershell scripts provided by the C\u0026C\nInformation Last change to this tool card: 27 August 2020\nDownload this tool card in JSON format\nAll groups using tool Powersing\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2cc1a5e-e273-4b56-b1e1-d4003e8d2f66\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Deceptikons, DeathStalker [Unknown] 2012-Jun 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2cc1a5e-e273-4b56-b1e1-d4003e8d2f66\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2cc1a5e-e273-4b56-b1e1-d4003e8d2f66\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f2cc1a5e-e273-4b56-b1e1-d4003e8d2f66" ], "report_names": [ "listgroups.cgi?u=f2cc1a5e-e273-4b56-b1e1-d4003e8d2f66" ], "threat_actors": [ { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434582, "ts_updated_at": 1775791993, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be64985f0155780b41be23320dd32acd56838cba.pdf", "text": "https://archive.orkl.eu/be64985f0155780b41be23320dd32acd56838cba.txt", "img": "https://archive.orkl.eu/be64985f0155780b41be23320dd32acd56838cba.jpg" } }