{ "id": "63a3bf48-547c-4d94-85e8-a6f78d5edb29", "created_at": "2026-04-06T00:06:40.547564Z", "updated_at": "2026-04-10T03:35:47.13565Z", "deleted_at": null, "sha1_hash": "ee45f48dfd646b25dceee34dd2804c14bac64b93", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51434, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:06:09 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Creamsicle\r\n Tool: Creamsicle\r\nNames Creamsicle\r\nCategory Malware\r\nType Downloader\r\nDescription\r\n(FireEye) CREAMSICLE attempts to download an encoded executable from a specified\r\nlocation.\r\nThe downloaded file is decoded, written to disk as\r\n%APPDATA%\\Norton360\\Engine\\5.1.0.29\\ccSvcHst.exe, and padded with 51,200,000\r\nnull bytes. CREAMSICLE does not appear to execute the downloaded file, presumably\r\nrelying on Windows to do so (using the shortcut file in the user’s Startup folder) the next\r\ntime the user logs in.\r\nInformation\r\n\u003chttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:CREAMSICLE\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Creamsicle\r\nChanged Name Country Observed\r\nAPT groups\r\n  APT 30, Override Panda 2005  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec3678b0-7ffb-4b53-ae26-cfbd54dfc3df\r\nPage 1 of 2\n\nNaikon, Lotus Panda 2010-Apr 2022  \r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec3678b0-7ffb-4b53-ae26-cfbd54dfc3df\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec3678b0-7ffb-4b53-ae26-cfbd54dfc3df\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ec3678b0-7ffb-4b53-ae26-cfbd54dfc3df" ], "report_names": [ "listgroups.cgi?u=ec3678b0-7ffb-4b53-ae26-cfbd54dfc3df" ], "threat_actors": [ { "id": "360f51f5-8a80-41d6-92c4-9aa042cd2732", "created_at": "2022-10-25T16:07:23.34569Z", "updated_at": "2026-04-10T02:00:04.55147Z", "deleted_at": null, "main_name": "APT 30", "aliases": [ "APT 30", "Bronze Geneva", "Bronze Sterling", "CTG-5326", "G0013", "Override Panda", "RADIUM", "Raspberry Typhoon" ], "source_name": "ETDA:APT 30", "tools": [ "BackBend", "Creamsicle", "Flashflood", "Gemcutter", "Lecna", "NetEagle", "Neteagle_Scout", "Orangeade", "ScoutEagle", "Shipshape", "ZRLnk", "norton" ], "source_id": "ETDA", "reports": null }, { "id": "a9ee8219-1882-4b1b-bac8-641b1603787d", "created_at": "2022-10-25T15:50:23.78263Z", "updated_at": "2026-04-10T02:00:05.351155Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "APT30" ], "source_name": "MITRE:APT30", "tools": [ "SHIPSHAPE", "FLASHFLOOD", "NETEAGLE" ], "source_id": "MITRE", "reports": null }, { "id": "30ed778d-15b3-484e-a90b-e1e05b36a42f", "created_at": "2023-01-06T13:46:38.290626Z", "updated_at": "2026-04-10T02:00:02.91411Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "G0013" ], "source_name": "MISPGALAXY:APT30", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434000, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee45f48dfd646b25dceee34dd2804c14bac64b93.pdf", "text": "https://archive.orkl.eu/ee45f48dfd646b25dceee34dd2804c14bac64b93.txt", "img": "https://archive.orkl.eu/ee45f48dfd646b25dceee34dd2804c14bac64b93.jpg" } }