{ "id": "ea93f910-1b49-4f2b-afe4-abb76185f351", "created_at": "2026-04-06T00:17:55.204953Z", "updated_at": "2026-04-10T03:33:28.6482Z", "deleted_at": null, "sha1_hash": "e3c5d48668c13fc551263763c1cf62267caf469b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54327, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:18:25 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Pay2Key\n Tool: Pay2Key\nNames\nPay2Key\nCobalt\nCategory Malware\nType Ransomware\nDescription\n(ClearSkySec) The ransomware is written in C++. Exceptionally, as other ransomware\ngroups encrypt their ransomware files or at least obfuscate internal strings to make\nanalysis more difficult, Pay2Key executable is unpacked and strings can be seen in clear\ntext.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 01 January 2023\nDownload this tool card in JSON format\nAll groups using tool Pay2Key\nChanged Name Country Observed\nAPT groups\n Parisite, Fox Kitten, Pioneer Kitten 2017-Nov 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=137c6319-b665-464b-b895-8c2346c8d9b4\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=137c6319-b665-464b-b895-8c2346c8d9b4\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=137c6319-b665-464b-b895-8c2346c8d9b4" ], "report_names": [ "listgroups.cgi?u=137c6319-b665-464b-b895-8c2346c8d9b4" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434675, "ts_updated_at": 1775792008, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3c5d48668c13fc551263763c1cf62267caf469b.pdf", "text": "https://archive.orkl.eu/e3c5d48668c13fc551263763c1cf62267caf469b.txt", "img": "https://archive.orkl.eu/e3c5d48668c13fc551263763c1cf62267caf469b.jpg" } }