{ "id": "d2c16546-2c27-45ff-b4b5-4ba0cf2dab06", "created_at": "2026-04-06T00:19:16.517093Z", "updated_at": "2026-04-10T03:32:35.346608Z", "deleted_at": null, "sha1_hash": "c3c03103c60bf2a295331a951b6bc3da600207c1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50636, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:33:33 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BrutishCommand\n Tool: BrutishCommand\nNames BrutishCommand\nCategory Malware\nType Dropper\nDescription\n(Palo Alto) The BrutishCommand loader uses a very interesting method to decrypt the\nFakeM functional code. The main function in this loader checks the command line\narguments passed to it, and if there are none present it will obtain a random number\nbetween 0-9 and create a new process using the same executable with this random number\nas a command line argument.\nIf the executable has a command line argument, the Trojan subjects the value to a hashing\nalgorithm and compares the hash to 0x20E3EEBA. If the value matches the static hash,\nthe executable will subject the command line argument to a second algorithm that will\nproduce a value that the Trojan will use as the decryption key to decrypt the embedded\nFakeM shellcode. It essentially brute forces its own decryption key by rerunning itself\nover and over until it runs with the correct value is provided on the command line. Unit 42\nhad not seen this technique used by other malware families and it introduces a challenging\nhurdle when attempting to analyze or debug the loader Trojan.\nInformation\nAlienVault OTX Last change to this tool card: 13 June 2020\nDownload this tool card in JSON format\nAll groups using tool BrutishCommand\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3e2c0fb6-a852-47dd-9638-4a04399adbf9\nPage 1 of 2\n\nAPT groups\r\n  Scarlet Mimic 2015-Aug 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3e2c0fb6-a852-47dd-9638-4a04399adbf9\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3e2c0fb6-a852-47dd-9638-4a04399adbf9\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3e2c0fb6-a852-47dd-9638-4a04399adbf9" ], "report_names": [ "listgroups.cgi?u=3e2c0fb6-a852-47dd-9638-4a04399adbf9" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434756, "ts_updated_at": 1775791955, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3c03103c60bf2a295331a951b6bc3da600207c1.pdf", "text": "https://archive.orkl.eu/c3c03103c60bf2a295331a951b6bc3da600207c1.txt", "img": "https://archive.orkl.eu/c3c03103c60bf2a295331a951b6bc3da600207c1.jpg" } }