{
	"id": "798cc474-a3e2-432f-91e2-2e57e75c7151",
	"created_at": "2026-04-06T03:36:24.093073Z",
	"updated_at": "2026-04-10T03:30:45.439908Z",
	"deleted_at": null,
	"sha1_hash": "c3ec64689e9f6fa7faa54e0e2bf82e7c9bda9815",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53071,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 03:22:19 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool StreamEx\n Tool: StreamEx\nNames StreamEx\nCategory Malware\nType Reconnaissance, Backdoor\nDescription\n(Cylance) Cylance dubbed this family of malware StreamEx, based upon a common\nexported function used across all samples ‘stream’, combined with the dropper\nfunctionality to append ‘ex’ to the DLL file name.\nThe StreamEx family has the ability to access and modify the user’s file system, modify\nthe registry, create system services, enumerate process and system information,\nenumerate network resources and drive types, scan for security tools such as firewall\nproducts and antivirus products, change browser security settings, and remotely execute\ncommands. The malware documented in this post was predominantly 64-bit, however,\nthere are 32-bit versions of the malware in the wild.\nInformation\nMITRE ATT\u0026CK AlienVault OTX Last change to this tool card: 22 April 2020\nDownload this tool card in JSON format\nAll groups using tool StreamEx\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fa1c38a2-c132-470d-8a83-b5b6df3e2a00\nPage 1 of 2\n\nTurbine Panda, APT 26, Shell Crew, WebMasters, KungFu\r\nKittens\r\n2010-Oct 2018\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fa1c38a2-c132-470d-8a83-b5b6df3e2a00\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fa1c38a2-c132-470d-8a83-b5b6df3e2a00\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fa1c38a2-c132-470d-8a83-b5b6df3e2a00"
	],
	"report_names": [
		"listgroups.cgi?u=fa1c38a2-c132-470d-8a83-b5b6df3e2a00"
	],
	"threat_actors": [
		{
			"id": "3fad11c6-4336-4b28-a606-f510eca5452e",
			"created_at": "2022-10-25T16:07:24.346573Z",
			"updated_at": "2026-04-10T02:00:04.948823Z",
			"deleted_at": null,
			"main_name": "Turbine Panda",
			"aliases": [
				"APT 26",
				"Black Vine",
				"Bronze Express",
				"Group 13",
				"JerseyMikes",
				"KungFu Kittens",
				"PinkPanther",
				"Shell Crew",
				"Taffeta Typhoon",
				"Turbine Panda",
				"WebMasters"
			],
			"source_name": "ETDA:Turbine Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Hurix",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mivast",
				"PlugX",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"Sogu",
				"StreamEx",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"cobeacon",
				"ffrat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a080173e-7141-4d46-831d-a5f15ebef31a",
			"created_at": "2023-01-06T13:46:38.629955Z",
			"updated_at": "2026-04-10T02:00:03.044597Z",
			"deleted_at": null,
			"main_name": "APT26",
			"aliases": [
				"JerseyMikes",
				"TURBINE PANDA",
				"BRONZE EXPRESS",
				"TECHNETIUM",
				"Taffeta Typhoon"
			],
			"source_name": "MISPGALAXY:APT26",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "64ca1755-3883-4173-8e0a-6e5cf92faafd",
			"created_at": "2022-10-25T15:50:23.636456Z",
			"updated_at": "2026-04-10T02:00:05.389234Z",
			"deleted_at": null,
			"main_name": "Deep Panda",
			"aliases": [
				"Deep Panda",
				"Shell Crew",
				"KungFu Kittens",
				"PinkPanther",
				"Black Vine"
			],
			"source_name": "MITRE:Deep Panda",
			"tools": [
				"Mivast",
				"StreamEx",
				"Sakula",
				"Tasklist",
				"Derusbi"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446584,
	"ts_updated_at": 1775791845,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3ec64689e9f6fa7faa54e0e2bf82e7c9bda9815.pdf",
		"text": "https://archive.orkl.eu/c3ec64689e9f6fa7faa54e0e2bf82e7c9bda9815.txt",
		"img": "https://archive.orkl.eu/c3ec64689e9f6fa7faa54e0e2bf82e7c9bda9815.jpg"
	}
}