{
	"id": "574d2492-2b41-47aa-bf7f-9c63dc70164e",
	"created_at": "2026-04-06T00:15:49.800027Z",
	"updated_at": "2026-04-10T03:34:43.78106Z",
	"deleted_at": null,
	"sha1_hash": "c35c38d9677235324b0e3d010a8b057ec1b6e68b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45772,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:08:35 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LOSTKEYS\r\n Tool: LOSTKEYS\r\nNames LOSTKEYS\r\nCategory Malware\r\nType Reconnaissance, Info stealer, Exfiltration\r\nDescription\r\n(Mandiant) It is a piece of malware that is capable of stealing files from a hard-coded list of\r\nextensions and directories, along with sending system information and running processes to\r\nthe attacker.\r\nInformation\r\n\u003chttps://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos\u003e\r\nLast change to this tool card: 27 June 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool LOSTKEYS\r\nChanged Name Country Observed\r\nAPT groups\r\n  Cold River 2019-Jan 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dfebfe66-3523-4610-90f5-752475089f7a\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dfebfe66-3523-4610-90f5-752475089f7a\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dfebfe66-3523-4610-90f5-752475089f7a"
	],
	"report_names": [
		"listgroups.cgi?u=dfebfe66-3523-4610-90f5-752475089f7a"
	],
	"threat_actors": [
		{
			"id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4",
			"created_at": "2023-01-06T13:46:38.581534Z",
			"updated_at": "2026-04-10T02:00:03.029872Z",
			"deleted_at": null,
			"main_name": "Callisto",
			"aliases": [
				"BlueCharlie",
				"Star Blizzard",
				"TAG-53",
				"Blue Callisto",
				"TA446",
				"IRON FRONTIER",
				"UNC4057",
				"COLDRIVER",
				"SEABORGIUM",
				"GOSSAMER BEAR"
			],
			"source_name": "MISPGALAXY:Callisto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aedca2f-6f6c-4470-af26-a46097d3eab5",
			"created_at": "2024-11-01T02:00:52.689773Z",
			"updated_at": "2026-04-10T02:00:05.396502Z",
			"deleted_at": null,
			"main_name": "Star Blizzard",
			"aliases": [
				"Star Blizzard",
				"SEABORGIUM",
				"Callisto Group",
				"TA446",
				"COLDRIVER"
			],
			"source_name": "MITRE:Star Blizzard",
			"tools": [
				"Spica"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "68d50d91-7569-4e09-b155-98b23b23918a",
			"created_at": "2023-01-06T13:46:38.877268Z",
			"updated_at": "2026-04-10T02:00:03.130232Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Nahr Elbard",
				"Nahr el bared"
			],
			"source_name": "MISPGALAXY:Cold River",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b",
			"created_at": "2025-08-07T02:03:24.722093Z",
			"updated_at": "2026-04-10T02:00:03.681914Z",
			"deleted_at": null,
			"main_name": "COBALT EDGEWATER",
			"aliases": [
				"APT34 ",
				"Cold River ",
				"DNSpionage "
			],
			"source_name": "Secureworks:COBALT EDGEWATER",
			"tools": [
				"AgentDrable",
				"DNSpionage",
				"Karkoff",
				"MailDropper",
				"SideTwist",
				"TWOTONE"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada",
			"created_at": "2022-10-25T16:07:23.477794Z",
			"updated_at": "2026-04-10T02:00:04.625004Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Blue Callisto",
				"BlueCharlie",
				"Calisto",
				"Cobalt Edgewater",
				"Gossamer Bear",
				"Grey Pro",
				"IRON FRONTIER",
				"Mythic Ursa",
				"Nahr Elbard",
				"Nahr el bared",
				"Seaborgium",
				"Star Blizzard",
				"TA446",
				"TAG-53",
				"UNC4057"
			],
			"source_name": "ETDA:Cold River",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"DNSpionage",
				"LOSTKEYS",
				"SPICA"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775792083,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c35c38d9677235324b0e3d010a8b057ec1b6e68b.pdf",
		"text": "https://archive.orkl.eu/c35c38d9677235324b0e3d010a8b057ec1b6e68b.txt",
		"img": "https://archive.orkl.eu/c35c38d9677235324b0e3d010a8b057ec1b6e68b.jpg"
	}
}