{ "id": "6e15c744-6d42-439d-8456-0a024a00f4c0", "created_at": "2026-04-06T00:14:11.48676Z", "updated_at": "2026-04-10T03:25:12.840708Z", "deleted_at": null, "sha1_hash": "ccba5b9f29522092e340836d66b6495e2bc45155", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31781, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:32:04 UTC\r\nDescription(ESET) On August 27, 2018, a so-called zero-day vulnerability affecting Microsoft Windows was\r\npublished on GitHub and publicized via a rather acerbic tweet.\r\nIt seems obvious that this was not part of a coordinated vulnerability disclosure and there was no patch at the time\r\nthis tweet (since deleted) was published to fix the vulnerability.\r\nIt affects Microsoft Windows OSes from Windows 7 to Windows 10, and in particular the Advanced Local\r\nProcedure Call (ALPC) function, and allows a Local Privilege Escalation (LPE). LPE allows an executable or\r\nprocess to escalate privileges. In that specific case, it allows an executable launched by a restricted user to gain\r\nadministrative rights.\r\nThe tweet linked to a GitHub repository that contains Proof-of-Concept code for the exploit. Not only was a\r\ncompiled version released – the source code was also. Consequently, anyone can modify and recompile the\r\nexploit, in order to “improve it”, evade detection, or even incorporate it into their code.\r\nAs one could have predicted, it took only two days before we first identified the use of this exploit in a malicious\r\ncampaign from a group we have dubbed PowerPool. This group has a small number of victims and according to\r\nboth our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the\r\ntargeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United\r\nStates and Ukraine.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8ed6a653-b094-43f9-9127-628a84a6b72a\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8ed6a653-b094-43f9-9127-628a84a6b72a\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8ed6a653-b094-43f9-9127-628a84a6b72a" ], "report_names": [ "showcard.cgi?u=8ed6a653-b094-43f9-9127-628a84a6b72a" ], "threat_actors": [ { "id": "62985c5c-6938-4365-8432-29573e99ecf4", "created_at": "2022-10-25T16:07:24.075092Z", "updated_at": "2026-04-10T02:00:04.859737Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [], "source_name": "ETDA:PowerPool", "tools": [ "ALPC Local PrivEsc", "FireMaster", "PowerDump", "PowerSploit", "Quarks PwDump", "SMBExec" ], "source_id": "ETDA", "reports": null }, { "id": "adee5dfb-98d1-488f-969d-48eed28cd7e4", "created_at": "2023-01-06T13:46:38.799427Z", "updated_at": "2026-04-10T02:00:03.105089Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [ "IAmTheKing" ], "source_name": "MISPGALAXY:PowerPool", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434451, "ts_updated_at": 1775791512, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccba5b9f29522092e340836d66b6495e2bc45155.pdf", "text": "https://archive.orkl.eu/ccba5b9f29522092e340836d66b6495e2bc45155.txt", "img": "https://archive.orkl.eu/ccba5b9f29522092e340836d66b6495e2bc45155.jpg" } }