{
	"id": "637d45cc-698f-4ef9-a97f-f21509cd7347",
	"created_at": "2026-04-06T00:14:13.000129Z",
	"updated_at": "2026-04-10T03:36:19.108133Z",
	"deleted_at": null,
	"sha1_hash": "daf447239a538e60359b986ca142fbc6d2411613",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46575,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:50:19 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SameCoin\n Tool: SameCoin\nNames SameCoin\nCategory Malware\nType Wiper\nDescription\n(HarfangLab) Following an X post by IntezerLab about an attack campaign that they dubbed\n“SameCoin”, we analyzed the samples they discovered and found a few identical variants. The\ninfection vector appears to be an email impersonating the Israeli National Cyber Directorate,\nwhich tricks the reader into downloading malicious files which are presented as ‘security\npatches’.\nVictims who download and execute linked files are infected with a wiper which, under certain\ncircumstances, could also infect other hosts in the network. We assess that the campaign’s\nreach was limited, evidenced by the fact that the malware linked in the email was downloaded\nonly a few dozen times.\nInformation\nLast change to this tool card: 26 December 2024\nDownload this tool card in JSON format\nAll groups using tool SameCoin\nChanged Name Country Observed\nAPT groups\n WIRTE Group [Middle East] 2018-Feb 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e249efb-70a3-40b4-b21d-ee20a3bec3b8\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e249efb-70a3-40b4-b21d-ee20a3bec3b8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e249efb-70a3-40b4-b21d-ee20a3bec3b8\r\nPage 2 of 2\n\nAPT groups WIRTE Group [Middle East] 2018-Feb 2024\n1 group listed (1 APT, 0 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e249efb-70a3-40b4-b21d-ee20a3bec3b8"
	],
	"report_names": [
		"listgroups.cgi?u=2e249efb-70a3-40b4-b21d-ee20a3bec3b8"
	],
	"threat_actors": [
		{
			"id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8",
			"created_at": "2022-10-25T15:50:23.798666Z",
			"updated_at": "2026-04-10T02:00:05.255838Z",
			"deleted_at": null,
			"main_name": "WIRTE",
			"aliases": [
				"WIRTE"
			],
			"source_name": "MITRE:WIRTE",
			"tools": [
				"LitePower",
				"Ferocious"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d",
			"created_at": "2023-11-14T02:00:07.079123Z",
			"updated_at": "2026-04-10T02:00:03.444083Z",
			"deleted_at": null,
			"main_name": "WIRTE",
			"aliases": [
				"Ashen Lepus"
			],
			"source_name": "MISPGALAXY:WIRTE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bad0c51-0d2b-4f04-b355-f88c960db813",
			"created_at": "2025-08-07T02:03:24.546734Z",
			"updated_at": "2026-04-10T02:00:03.691101Z",
			"deleted_at": null,
			"main_name": "ALUMINUM THORN",
			"aliases": [
				"Frankenstein ",
				"WIRTE "
			],
			"source_name": "Secureworks:ALUMINUM THORN",
			"tools": [
				"FruityC2",
				"PowerShell Empire"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa5c2fa9-e018-484b-9f4a-0ef76ebbbf57",
			"created_at": "2022-10-25T16:07:24.41839Z",
			"updated_at": "2026-04-10T02:00:04.982315Z",
			"deleted_at": null,
			"main_name": "WIRTE Group",
			"aliases": [
				"G0090",
				"White Dev 21"
			],
			"source_name": "ETDA:WIRTE Group",
			"tools": [
				"EmPyre",
				"EmpireProject",
				"H-Worm",
				"H-Worm RAT",
				"Houdini",
				"Houdini RAT",
				"Hworm",
				"Iniduoh",
				"Jenxcus",
				"Kognito",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Njw0rm",
				"PowerShell Empire",
				"SameCoin",
				"WSHRAT",
				"dinihou",
				"dunihi"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775792179,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/daf447239a538e60359b986ca142fbc6d2411613.pdf",
		"text": "https://archive.orkl.eu/daf447239a538e60359b986ca142fbc6d2411613.txt",
		"img": "https://archive.orkl.eu/daf447239a538e60359b986ca142fbc6d2411613.jpg"
	}
}