{ "id": "f640151b-cd33-42e2-bfba-969cd0033861", "created_at": "2026-04-06T00:13:10.589705Z", "updated_at": "2026-04-10T03:34:00.632042Z", "deleted_at": null, "sha1_hash": "e786b7cc1b0988f406ebae819d20351bb98ec65b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58771, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:09:44 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PINEFLOWER\r\n Tool: PINEFLOWER\r\nNames\r\nPINEFLOWER\r\nCORRUPT KITTEN\r\nCategory Malware\r\nType Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(FireEye) CORRUPT KITTEN was the author’s chosen name for an Android implant that,\r\naccording to the blog, ‘supports a full range of spying and device management capability’. The\r\nblog contained a summary analysis of this CORRUPT KITTEN implant and an MD5 hash for\r\na DEX file allegedly using the same C\u0026C server.\r\nNotably, the author also noted that the malware stored files ready for exfiltration in a directory\r\nnamed ‘.data_gsc98647a3’, the string we identified in our PINEFLOWER samples. It seemed\r\nlikely that CORRUPT KITTEN and PINEFLOWER were one and the same.\r\nInformation \u003chttps://vblocalhost.com/uploads/VB2021-Haeghebaert.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.pineflower\u003e\r\nLast change to this tool card: 22 June 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool PINEFLOWER\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 42 2015-Feb 2024  \r\n  Magic Hound, APT 35, Cobalt Illusion, Charming Kitten 2012-Jun 2025\r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8a823fe9-e03f-4c37-be82-3288c05ec213\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8a823fe9-e03f-4c37-be82-3288c05ec213\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8a823fe9-e03f-4c37-be82-3288c05ec213\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8a823fe9-e03f-4c37-be82-3288c05ec213" ], "report_names": [ "listgroups.cgi?u=8a823fe9-e03f-4c37-be82-3288c05ec213" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f778366-a4a7-42f1-ab1e-362aa065ee4f", "created_at": "2022-10-25T16:07:23.362157Z", "updated_at": "2026-04-10T02:00:04.562925Z", "deleted_at": null, "main_name": "APT 42", "aliases": [ "GreenBravo" ], "source_name": "ETDA:APT 42", "tools": [ "BROKEYOLK", "CHAIRSMACK", "CORRUPT KITTEN", "DOSTEALER", "GORBLE", "Ghambar", "MAGICDROP", "PINEFLOWER", "POWERPOST", "SILENTUPLOADER", "TABBYCAT", "TAMECAT", "VBREVSHELL", "VINETHORN" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e786b7cc1b0988f406ebae819d20351bb98ec65b.pdf", "text": "https://archive.orkl.eu/e786b7cc1b0988f406ebae819d20351bb98ec65b.txt", "img": "https://archive.orkl.eu/e786b7cc1b0988f406ebae819d20351bb98ec65b.jpg" } }