{ "id": "9d37b37c-2336-49fb-acd9-706d98277c98", "created_at": "2026-04-06T00:22:35.422088Z", "updated_at": "2026-04-10T03:35:12.410211Z", "deleted_at": null, "sha1_hash": "c43ff4c4ee997d1efca61ebdda2e55003e6a0673", "title": "Metasploit Stager - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44916, "plain_text": "Metasploit Stager - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 18:11:30 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Metasploit Stager\n Tool: Metasploit Stager\nNames Metasploit Stager\nCategory Tools\nType Downloader, Loader\nDescription\nThe Metasploit Framework decouples exploits from the stuff that gets executed after\nsuccessful exploitation (the payload). Payloads in the Metasploit Framework are also divided\ninto two parts, the stager and the stage. The stager is responsible for downloading a large\npayload (the stage), injecting it into memory, and passing execution to it.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool Metasploit Stager\nChanged Name Country Observed\nAPT groups\n Cobalt Group 2016-Oct 2019\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=826053a8-18fd-4e08-b115-13b3a7ab42fb\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=826053a8-18fd-4e08-b115-13b3a7ab42fb\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=826053a8-18fd-4e08-b115-13b3a7ab42fb" ], "report_names": [ "listgroups.cgi?u=826053a8-18fd-4e08-b115-13b3a7ab42fb" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434955, "ts_updated_at": 1775792112, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c43ff4c4ee997d1efca61ebdda2e55003e6a0673.pdf", "text": "https://archive.orkl.eu/c43ff4c4ee997d1efca61ebdda2e55003e6a0673.txt", "img": "https://archive.orkl.eu/c43ff4c4ee997d1efca61ebdda2e55003e6a0673.jpg" } }