{
	"id": "e5431a3d-8676-4c63-94b7-6350963c3de5",
	"created_at": "2026-04-06T00:10:15.864672Z",
	"updated_at": "2026-04-10T03:36:25.34737Z",
	"deleted_at": null,
	"sha1_hash": "c5a8b2caeb082e8a4268dc981c8cd7128d53f869",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51227,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:27:52 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SkeletonKeyInjector\r\n Tool: SkeletonKeyInjector\r\nNames SkeletonKeyInjector\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(CyCraft) The discovery of a related binary led us to initially believe the sample was a\r\nDumpert. However, a more in-depth analysis revealed that the d3d11.dll sample implanted a\r\nskeleton key, where adversaries could persistently control (before the system reboot) the\r\ninfected machine and machines under the infected AD. More specifically, the malware was an\r\naccount manipulation tool that contained code extracted from both Dumpert and Mimikatz. We\r\ncalled this malware SkeletonKeyInjector. The malware employed a technique that altered the\r\nNTLM authentication program and implanted a skeleton key to allow adversaries to log-in\r\nwithout a valid credential. This allowed the adversary to achieve the following objectives:\r\n● Persistence: After the code in memory was altered, the adversary could gain access to the\r\ncompromised machines before the next system reboot. As AD machines are rarely rebooted,\r\nthe adversary was able to control the machines for a very long time.\r\n● Defense Evasion: Aside from the different login password and login algorithm scheme, there\r\nwas no difference when compared to a normal login activity. Furthermore, normal users could\r\nstill log-in to the system via their original password. Thus, the probability of being exposed\r\nwas low.\r\n● Lateral Movement: Adversaries could use the skeleton key to login to other machines that\r\nwere in the same domain. This made it easier for an adversary to conduct lateral movement.\r\nInformation \u003chttps://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool SkeletonKeyInjector\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ac256455-69de-4b40-9ca5-bb207aaf5b08\r\nPage 1 of 2\n\nAPT groups\r\n  Chimera 2018-Oct 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ac256455-69de-4b40-9ca5-bb207aaf5b08\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ac256455-69de-4b40-9ca5-bb207aaf5b08\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ac256455-69de-4b40-9ca5-bb207aaf5b08"
	],
	"report_names": [
		"listgroups.cgi?u=ac256455-69de-4b40-9ca5-bb207aaf5b08"
	],
	"threat_actors": [
		{
			"id": "f88b16bc-df4b-48e7-ae35-f4117240ff24",
			"created_at": "2022-10-25T15:50:23.556699Z",
			"updated_at": "2026-04-10T02:00:05.312313Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Chimera"
			],
			"source_name": "MITRE:Chimera",
			"tools": [
				"PsExec",
				"esentutl",
				"Mimikatz",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3da47784-d268-47eb-9a0d-ce25fdc605c0",
			"created_at": "2025-08-07T02:03:24.692797Z",
			"updated_at": "2026-04-10T02:00:03.72967Z",
			"deleted_at": null,
			"main_name": "BRONZE VAPOR",
			"aliases": [
				"Chimera ",
				"DEV-0039 ",
				"Thorium ",
				"Tumbleweed Typhoon "
			],
			"source_name": "Secureworks:BRONZE VAPOR",
			"tools": [
				"Acehash",
				"CloudDrop",
				"Cobalt Strike",
				"Mimikatz",
				"STOCKPIPE",
				"Sharphound",
				"Watercycle"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef",
			"created_at": "2022-10-25T16:07:23.455744Z",
			"updated_at": "2026-04-10T02:00:04.61281Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Bronze Vapor",
				"G0114",
				"Nuclear Taurus",
				"Operation Skeleton Key",
				"Red Charon",
				"THORIUM",
				"Tumbleweed Typhoon"
			],
			"source_name": "ETDA:Chimera",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"SkeletonKeyInjector",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775792185,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5a8b2caeb082e8a4268dc981c8cd7128d53f869.pdf",
		"text": "https://archive.orkl.eu/c5a8b2caeb082e8a4268dc981c8cd7128d53f869.txt",
		"img": "https://archive.orkl.eu/c5a8b2caeb082e8a4268dc981c8cd7128d53f869.jpg"
	}
}