{ "id": "8c9e7828-347c-4ffd-b498-0093aae583d6", "created_at": "2026-04-06T00:21:58.408568Z", "updated_at": "2026-04-10T03:33:23.760067Z", "deleted_at": null, "sha1_hash": "c5e60308167069a91fb2481da79bec1646f0052b", "title": "logon-history.ps1 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52971, "plain_text": "logon-history.ps1 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 16:18:05 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool get-logon-history.ps1\r\n Tool: get-logon-history.ps1\r\nNames get-logon-history.ps1\r\nCategory Malware\r\nType Reconnaissance, Info stealer\r\nDescription\r\nDownloaded and used by Infostealer. It runs several commands on the infected machine to\r\ngather information about it and also the Firefox data of all users of the machine.\r\nInformation\r\n\u003chttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool get-logon-history.ps1\r\nChanged Name Country Observed\r\nAPT groups\r\n  Tortoiseshell, Imperial Kitten 2018-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=861d4b02-4edd-4bd4-8cbc-e407862da8b7\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=861d4b02-4edd-4bd4-8cbc-e407862da8b7\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=861d4b02-4edd-4bd4-8cbc-e407862da8b7" ], "report_names": [ "listgroups.cgi?u=861d4b02-4edd-4bd4-8cbc-e407862da8b7" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434918, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5e60308167069a91fb2481da79bec1646f0052b.pdf", "text": "https://archive.orkl.eu/c5e60308167069a91fb2481da79bec1646f0052b.txt", "img": "https://archive.orkl.eu/c5e60308167069a91fb2481da79bec1646f0052b.jpg" } }