{ "id": "93a25e6d-ba62-4b95-b5ed-6575c0b473f9", "created_at": "2026-04-06T00:17:03.674334Z", "updated_at": "2026-04-10T03:33:13.954902Z", "deleted_at": null, "sha1_hash": "ef161f6c579b4a2f5720c44c623f7b529cb125e0", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49281, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:00:20 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Janicab\n Tool: Janicab\nNames Janicab\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer\nDescription\n(F-Secure) For Windows OS, this malware was delivered via a document that exploited\nCVE-2012-0158. In addition, we've also seen it delivered in a form of a Microsoft Shell\nLink (.lnk) file that drops an embedded encoded VBScript, sometime from 2013 until\nrecently.\nThere are several tricks the dropper uses for obfuscating its purpose:\n- Filename with double extension (Example: .jpg.lnk or .doc.lnk)\n- Using the icon of notepad.exe (instead of the default, cmd.exe)\n- Possibly sensitive data zeroed out, for example, machine identifier and relative path\nBut the most interesting part is the use of an undocumented method for hiding the\ncommand line argument string from Windows explorer. Typically, the target and its\narguments are visible in Windows explorer as a single string in the shortcut properties,\nwhen the user right-clicks on the shortcut icon. However, the command line argument is\nnot visible in this scenario.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=44b545b8-3815-40f9-8e4d-e6e49aec793d\nPage 1 of 2\n\nAll groups using tool Janicab\r\nChanged Name Country Observed\r\nAPT groups\r\n  Deceptikons, DeathStalker [Unknown] 2012-Jun 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=44b545b8-3815-40f9-8e4d-e6e49aec793d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=44b545b8-3815-40f9-8e4d-e6e49aec793d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=44b545b8-3815-40f9-8e4d-e6e49aec793d" ], "report_names": [ "listgroups.cgi?u=44b545b8-3815-40f9-8e4d-e6e49aec793d" ], "threat_actors": [ { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775791993, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef161f6c579b4a2f5720c44c623f7b529cb125e0.pdf", "text": "https://archive.orkl.eu/ef161f6c579b4a2f5720c44c623f7b529cb125e0.txt", "img": "https://archive.orkl.eu/ef161f6c579b4a2f5720c44c623f7b529cb125e0.jpg" } }