{ "id": "a33177a3-3f3a-4985-ba68-79ee376c1170", "created_at": "2026-04-06T00:07:27.196145Z", "updated_at": "2026-04-10T03:34:23.542057Z", "deleted_at": null, "sha1_hash": "d65bb844e40b65a1b97f8bacbea6670707e6d2a7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42992, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:57:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool IronPython\n Tool: IronPython\nNames IronPython\nCategory Tools\nType Info stealer, Keylogger, Credential stealer\nDescription\nIronPython is an open-source implementation of the Python programming language which is\ntightly integrated with the .NET Framework. IronPython can use the .NET Framework and\nPython libraries, and other .NET languages can use Python code just as easily.\nInformation\nLast change to this tool card: 10 July 2020\nDownload this tool card in JSON format\nAll groups using tool IronPython\nChanged Name Country Observed\nAPT groups\n Evilnum [Unknown] 2018-2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6dd0166a-15d9-4790-a54f-9aceea304a0e\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6dd0166a-15d9-4790-a54f-9aceea304a0e\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6dd0166a-15d9-4790-a54f-9aceea304a0e" ], "report_names": [ "listgroups.cgi?u=6dd0166a-15d9-4790-a54f-9aceea304a0e" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434047, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d65bb844e40b65a1b97f8bacbea6670707e6d2a7.pdf", "text": "https://archive.orkl.eu/d65bb844e40b65a1b97f8bacbea6670707e6d2a7.txt", "img": "https://archive.orkl.eu/d65bb844e40b65a1b97f8bacbea6670707e6d2a7.jpg" } }