{ "id": "797d6487-1dfb-4ce6-88bd-ff8bf909cf0d", "created_at": "2026-04-06T00:16:26.614246Z", "updated_at": "2026-04-10T03:36:27.500259Z", "deleted_at": null, "sha1_hash": "c16bc105bc8c64b62545bd1d5a2f5af071320e2e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48195, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 20:57:07 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PowerShower\n Tool: PowerShower\nNames PowerShower\nCategory Malware\nType Reconnaissance, Downloader\nDescription\n(Palo Alto) POWERSHOWER acts as an initial reconnaissance foothold and is almost\ncertainly used to download and execute a secondary payload with a more complete set\nof features. By only using this simple backdoor to establish a foothold, the attacker can\nhold back their most sophisticated and complex malware for later stages, making them\nless likely to be detected.\nIn a nutshell, POWERSHOWER allows the attacker to:\n• Fingerprint the machine, and upload this information to the initial C\u0026C.\n• Clean up a significant amount of forensic evidence from the dropper process, as we\ndetail below.\n• Run a secondary payload, if the attacker decides the target machine is sufficiently\ninteresting (based on analysis of the system data sent from the first beacon)\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool PowerShower\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f922508-3fd3-4018-997b-a7a9075af23e\nPage 1 of 2\n\nAPT groups\r\n  Inception Framework, Cloud Atlas 2012-2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f922508-3fd3-4018-997b-a7a9075af23e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f922508-3fd3-4018-997b-a7a9075af23e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f922508-3fd3-4018-997b-a7a9075af23e" ], "report_names": [ "listgroups.cgi?u=8f922508-3fd3-4018-997b-a7a9075af23e" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434586, "ts_updated_at": 1775792187, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c16bc105bc8c64b62545bd1d5a2f5af071320e2e.pdf", "text": "https://archive.orkl.eu/c16bc105bc8c64b62545bd1d5a2f5af071320e2e.txt", "img": "https://archive.orkl.eu/c16bc105bc8c64b62545bd1d5a2f5af071320e2e.jpg" } }