{ "id": "7ed7ddab-fc00-4c28-ada3-b83e1dcda2d8", "created_at": "2026-04-06T00:18:27.600687Z", "updated_at": "2026-04-10T03:33:23.702085Z", "deleted_at": null, "sha1_hash": "e5b985471cb2213de820c08f05c4ed714514bae0", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54391, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:52:27 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool liderc\r\n Tool: liderc\r\nNames liderc\r\nCategory Malware\r\nType Reconnaissance, Info stealer, Exfiltration\r\nDescription\r\n(Talos) The downloaded reconnaissance tool is named 'bird.exe' on the system and the internal\r\nname is Liderc. Liderc is a unique supernatural being of Hungarian folklore. The original form\r\nof this creature is a chicken, that would explain the name of the dropped PE on the system,\r\n'Bird.exe.'\r\nThe purpose is to collect a lot of information on the victim machine.\r\nInformation \u003chttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.liderc\u003e\r\nLast change to this tool card: 09 August 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool liderc\r\nChanged Name Country Observed\r\nAPT groups\r\n  Tortoiseshell, Imperial Kitten 2018-Oct 2023\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=69ce416a-a404-4ffb-b65c-25a22f081e01\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=69ce416a-a404-4ffb-b65c-25a22f081e01\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=69ce416a-a404-4ffb-b65c-25a22f081e01" ], "report_names": [ "listgroups.cgi?u=69ce416a-a404-4ffb-b65c-25a22f081e01" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434707, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5b985471cb2213de820c08f05c4ed714514bae0.pdf", "text": "https://archive.orkl.eu/e5b985471cb2213de820c08f05c4ed714514bae0.txt", "img": "https://archive.orkl.eu/e5b985471cb2213de820c08f05c4ed714514bae0.jpg" } }