{ "id": "b8ea85e1-d58c-4599-a322-e0f350aa866f", "created_at": "2026-04-06T00:09:26.590815Z", "updated_at": "2026-04-10T13:12:35.633453Z", "deleted_at": null, "sha1_hash": "ccce7f9dda86bfb131f1de62d24b027bcff1ef70", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53751, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:14:23 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SLUB\n Tool: SLUB\nNames SLUB\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Downloader, Exfiltration\nDescription\n(Trend Micro) We recently came across a previously unknown malware that piqued our\ninterest in multiple ways. For starters, we discovered it being spread via watering hole\nattacks, a technique that involves an attacker compromising a website before adding code\nto it so visitors are redirected to the infecting code. In this case, each visitor is redirected\nonly once. The infection was done by exploiting CVE-2018-8174, a VBScript engine\nvulnerability that was patched by Microsoft back in May 2018.\nSecond, it uses a multi-stage infection scheme. After it exploits the vulnerability, it\ndownloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then\ndownloads and runs the second executable file containing a backdoor. The first stage\ndownloader also checks for the existence of different kinds of antivirus software\nprocesses, and then proceeds to exit if any is found. At the time of discovery, the backdoor\nwas seemingly unknown to AV products.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool SLUB\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=576647b7-c4ec-4642-baa2-0d9b53d9ae3c\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Earth Kitsune 2019-Late 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=576647b7-c4ec-4642-baa2-0d9b53d9ae3c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=576647b7-c4ec-4642-baa2-0d9b53d9ae3c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=576647b7-c4ec-4642-baa2-0d9b53d9ae3c" ], "report_names": [ "listgroups.cgi?u=576647b7-c4ec-4642-baa2-0d9b53d9ae3c" ], "threat_actors": [ { "id": "6158a31d-091c-4a5a-a82b-938e3d0b0e87", "created_at": "2023-11-17T02:00:07.61151Z", "updated_at": "2026-04-10T02:00:03.459947Z", "deleted_at": null, "main_name": "Earth Kitsune", "aliases": [], "source_name": "MISPGALAXY:Earth Kitsune", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f6650a3-9f50-47c4-bd7a-008b63bde191", "created_at": "2022-10-25T16:07:23.949232Z", "updated_at": "2026-04-10T02:00:04.803815Z", "deleted_at": null, "main_name": "Operation Earth Kitsune", "aliases": [], "source_name": "ETDA:Operation Earth Kitsune", "tools": [ "SLUB", "WhiskerSpy", "agfSpy", "dneSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434166, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccce7f9dda86bfb131f1de62d24b027bcff1ef70.pdf", "text": "https://archive.orkl.eu/ccce7f9dda86bfb131f1de62d24b027bcff1ef70.txt", "img": "https://archive.orkl.eu/ccce7f9dda86bfb131f1de62d24b027bcff1ef70.jpg" } }