{ "id": "41a24739-e7b7-4269-812b-5178528d81c0", "created_at": "2026-04-06T00:11:22.585043Z", "updated_at": "2026-04-10T03:36:17.363011Z", "deleted_at": null, "sha1_hash": "ce905960168932d4aaf7713bb7eda84194b96bfe", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47099, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:07:40 UTC\r\n APT group: UNC2447\r\nNames UNC2447 (FireEye)\r\nCountry [Unknown]\r\nMotivation Financial gain\r\nFirst seen 2020\r\nDescription\r\n(FireEye) Mandiant has observed an aggressive financially motivated group, UNC2447,\r\nexploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and\r\ndeploying sophisticated malware previously reported by other vendors as SOMBRAT.\r\nMandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not\r\nbeen previously reported publicly.\r\nUNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware\r\nfollowed by aggressively applying pressure through threats of media attention and offering\r\nvictim data for sale on hacker forums. UNC2447 has been observed targeting organizations in\r\nEurope and North America and has consistently displayed advanced capabilities to evade\r\ndetection and minimize post-intrusion forensics.\r\nObserved Countries: Europe and North America.\r\nTools used\r\n7-Zip, AdFind, BloodHound, Cobalt Strike, DeathRansom, FIVEHANDS, FOXGRABBER,\r\nHELLOKITTY, Mimikatz, PCHUNTER, RagnarLocker, RCLONE, ROUTERSCAN,\r\nS3BROWSER, SombRAT, WARPRISM, ZAP.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\u003e\r\nLast change to this card: 15 May 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ccffbbd0-8a98-4c6d-a384-1fe9a7e822f3\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ccffbbd0-8a98-4c6d-a384-1fe9a7e822f3\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ccffbbd0-8a98-4c6d-a384-1fe9a7e822f3" ], "report_names": [ "showcard.cgi?u=ccffbbd0-8a98-4c6d-a384-1fe9a7e822f3" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434282, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce905960168932d4aaf7713bb7eda84194b96bfe.pdf", "text": "https://archive.orkl.eu/ce905960168932d4aaf7713bb7eda84194b96bfe.txt", "img": "https://archive.orkl.eu/ce905960168932d4aaf7713bb7eda84194b96bfe.jpg" } }