{
	"id": "7f5919db-53d4-4fe2-96fd-8dee4cf1f60b",
	"created_at": "2026-04-06T00:20:19.450499Z",
	"updated_at": "2026-04-10T03:25:29.682342Z",
	"deleted_at": null,
	"sha1_hash": "eedca3055223277f8839abfabaeef5dda8aba025",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48060,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:43:24 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PowHeartBeat\n Tool: PowHeartBeat\nNames PowHeartBeat\nCategory Malware\nType Backdoor\nDescription\n(ESET) PowHeartBeat is a full-featured backdoor written in PowerShell, obfuscated using\nvarious techniques such as compression, encoding, and encryption. Based on ESET telemetry,\nwe believe PowHeartBeat replaced CLRLoad in more recent Worok campaigns as the tool\nused to launch PNGLoad.\nInformation Last change to this tool card: 13 September 2022\nDownload this tool card in JSON format\nAll groups using tool PowHeartBeat\nChanged Name Country Observed\nAPT groups\n Worok 2020\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ce37b5d7-a9c6-4348-a4f1-f23fb90f322c\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ce37b5d7-a9c6-4348-a4f1-f23fb90f322c\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ce37b5d7-a9c6-4348-a4f1-f23fb90f322c"
	],
	"report_names": [
		"listgroups.cgi?u=ce37b5d7-a9c6-4348-a4f1-f23fb90f322c"
	],
	"threat_actors": [
		{
			"id": "a7e5d6c0-5f7e-4d1c-87fa-bbf65b4e65b9",
			"created_at": "2022-10-25T16:07:24.42571Z",
			"updated_at": "2026-04-10T02:00:04.984213Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "ETDA:Worok",
			"tools": [
				"CLRLoad",
				"Mimikatz",
				"NBTscan",
				"PNGLoad",
				"PowHeartBeat",
				"SAMRID",
				"nbtscan",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e294737b-6aa7-480e-841d-cbed102c356c",
			"created_at": "2023-07-20T02:00:08.787855Z",
			"updated_at": "2026-04-10T02:00:03.368575Z",
			"deleted_at": null,
			"main_name": "Worok",
			"aliases": [],
			"source_name": "MISPGALAXY:Worok",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434819,
	"ts_updated_at": 1775791529,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eedca3055223277f8839abfabaeef5dda8aba025.pdf",
		"text": "https://archive.orkl.eu/eedca3055223277f8839abfabaeef5dda8aba025.txt",
		"img": "https://archive.orkl.eu/eedca3055223277f8839abfabaeef5dda8aba025.jpg"
	}
}