{ "id": "82aa3115-e3cf-467d-b6b6-5018a0ac3dcb", "created_at": "2026-04-06T00:17:35.480469Z", "updated_at": "2026-04-10T13:12:58.237706Z", "deleted_at": null, "sha1_hash": "d36d00c60aa2a0d60d9d4198faeae83d2d5b9a4b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47826, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:36:57 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WARPRISM\r\n Tool: WARPRISM\r\nNames WARPRISM\r\nCategory Malware\r\nType Dropper\r\nDescription\r\n(FireEye) WARPRISM is a PowerShell dropper that has been observed by Mandiant\r\ndelivering SunCrypt, Cobalt Strike, and Mimikatz. WARPRISM is used to evade endpoint\r\ndetection and will load its payload directly into memory. WARPRISM may be used by\r\nmultiple groups.\r\nInformation\r\n\u003chttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\u003e\r\nLast change to this tool card: 15 May 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool WARPRISM\r\nChanged Name Country Observed\r\nAPT groups\r\n  Carbanak, Anunak 2013-Apr 2023\r\n  SunCrypt Gang [Unknown] 2019-Oct 2020  \r\n  UNC2447 [Unknown] 2020  \r\n3 groups listed (3 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9672ed6f-d3ba-4a31-a3a0-aa19d6aeead8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9672ed6f-d3ba-4a31-a3a0-aa19d6aeead8\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9672ed6f-d3ba-4a31-a3a0-aa19d6aeead8" ], "report_names": [ "listgroups.cgi?u=9672ed6f-d3ba-4a31-a3a0-aa19d6aeead8" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "1df26eff-cd77-48dc-9425-95a4ec34bebe", "created_at": "2022-10-25T16:07:24.24501Z", "updated_at": "2026-04-10T02:00:04.9102Z", "deleted_at": null, "main_name": "SunCrypt Gang", "aliases": [], "source_name": "ETDA:SunCrypt Gang", "tools": [ "SunCrypt", "WARPRISM" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434655, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d36d00c60aa2a0d60d9d4198faeae83d2d5b9a4b.pdf", "text": "https://archive.orkl.eu/d36d00c60aa2a0d60d9d4198faeae83d2d5b9a4b.txt", "img": "https://archive.orkl.eu/d36d00c60aa2a0d60d9d4198faeae83d2d5b9a4b.jpg" } }