{ "id": "bcdd0e84-238e-49c3-a390-30af7b0be68c", "created_at": "2026-04-06T00:18:42.919837Z", "updated_at": "2026-04-10T03:31:41.872221Z", "deleted_at": null, "sha1_hash": "d102cb5c1a4dc5546defc4593a859cdd3f431b83", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54733, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:49:18 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Shark\n Tool: Shark\nNames Shark\nCategory Malware\nType Backdoor\nDescription\n(ClearSky) In July 2021, we detected a second wave of similar attacks against additional\ncompanies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a\nnew version called “Shark” and it replaced the old version of their malware called\n“Milan”.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Shark\nChanged Name Country Observed\nAPT groups\n Hexane 2017-Jun 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2063af6d-5de1-4a44-8f2c-8b8678bc10fe\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2063af6d-5de1-4a44-8f2c-8b8678bc10fe\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2063af6d-5de1-4a44-8f2c-8b8678bc10fe" ], "report_names": [ "listgroups.cgi?u=2063af6d-5de1-4a44-8f2c-8b8678bc10fe" ], "threat_actors": [ { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434722, "ts_updated_at": 1775791901, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d102cb5c1a4dc5546defc4593a859cdd3f431b83.pdf", "text": "https://archive.orkl.eu/d102cb5c1a4dc5546defc4593a859cdd3f431b83.txt", "img": "https://archive.orkl.eu/d102cb5c1a4dc5546defc4593a859cdd3f431b83.jpg" } }